wootski / impacket Goto Github PK

As Simple as that..

In particular useful for two reasons:

1) Newer OSX clients would reject the connection if Unicode is not supported
2) Foreing language letters are not properly shown right now.

What steps will reproduce the problem?
1. Get a WinXP (e.g. SP2) and have the Administrator password
2. run secretsdump.py against that host 

What is the expected output? What do you see instead?
To dump the target's secrets

Result:

It does not, it dumps the following error:
[*] Target system bootKey: 0x
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[!] hashedBootKey CheckSum failed!
[*] Cleaning up... 

What steps will reproduce the problem?
dot11 module assuments that 802.11 elements have ordered ids. When search for 
an element using _find_element() it will stop searching after it found an 
element with an id larger that the one to be found. 
IDs don't have to be ordered (Mac-OSX association request has first the 
ext-supported-rates (id : 50) and then the ht-capability element (id:45).
Trying to find the ht-capability element (using _get_element(45)) returns None 
even though there is such an element.

What is the expected output? What do you see instead?
You'd expect to be able to parse the unordered elements, which is not the case.

What version of the product are you using? On what operating system?
trunk (revision 805)


Please provide any additional information below.

Attached a diff that removes the redundant check-skip.

This patch will also dump password history hashes. Output will look like this:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:27272719c2d1d2bb8d74d039a81f0
e49:::
Administrator_history0:500:43a6ed35a36f74e27eab299ffc718400:27272719c2d1d2bb8d74
d039a81f0e49:::
Administrator_history1:500:99edd16fb222f96a1d65d9a46ae841e5:a881324bad161293dedc
71817988d944:::
Administrator_history2:500:20bfe873abe902924cb257ea8beb22da:97f94ef9c49c0b2043d4
de224e1427e9:::
Administrator_history3:500:d456e6c39078198bcc5f58d2377c48ff:a881324bad161293dedc
71817988d944:::
WIN-LEK1BKKKKD8$:1003:aad3b435b51404eeaad3b435b51404ee:02e5b61204e2e970ceb6410b0
6648c25:::
WIN-LEK1BKKKKD8$_history0:1003:4ea35f0be7da7db8940146b02a77e793:02e5b61204e2e970
ceb6410b06648c25:::
WIN-LEK1BKKKKD8$_history1:1003::a44cf5558e85cb1c3f24b5fa90fdda30:::

It was tested successfully with r942 + this patch against Windows 2008 R2 SP1 
domain controller.

Cheers

What steps will reproduce the problem?
1. from client do "dir \\ip_attack\c$"
2. on attack machine "smbrelayx.py -h ip_DC -e payload.exe"
3.

What is the expected output? What do you see instead?
should execute payload and return to the listener a shell from the DC but 
instead;
[*] HTTPD: Received connection from 192.168.246.205, attacking target 
192.168.246.207
[*] SMBD: Received connection from 192.168.246.205, attacking target 
192.168.246.207
[*] Authenticating against 192.168.246.207 as HACK\Administrator SUCCEED
[*] Requesting shares on 192.168.246.207.....
[!] Error requesting shares on 192.168.246.207, aborting.....
[!] Error performing the installation, cleaning up: SMB SessionError: class: 
ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.)
[*] Service Installed.. CONNECT!
[*] Opening SVCManager on 192.168.246.207.....
[!] Error performing the uninstallation, cleaning up


What version of the product are you using? On what operating system?
AD domain 2008r2(with a share) with win7x64sp1 client all full updated
attack machine kalix64

Please provide any additional information below.
i can use psexec.py with or without hashes and get a shell with the same domain 
account Administrator.

the problem seems to be that metasploit advertises extended security 
capabilities in the protocol negotiation packet, but not in the session setup 
packet. impacket relies on the negotiation packet to determine capabilities, 
and throws an exception trying to parse the non-existent security blob.

This patch resolves the issue by consulting the setup packet instead of the 
cached negotiation packet:

===================================================================
--- impacket/smbserver.py   (revision 706)
+++ impacket/smbserver.py   (working copy)
@@ -2049,8 +2049,10 @@

         respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)

-        if connData['_dialects_parameters']['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
-            # Extended security. Here we deal with all SPNEGO stuff
+        #if connData['_dialects_parameters']['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
+        sessionSetupParameters = 
smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])
+        if sessionSetupParameters['Capabilities'] & 
smb.SMB.CAP_EXTENDED_SECURITY:
+        # Extended security. Here we deal with all SPNEGO stuff
             respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters()
             respData       = smb.SMBSessionSetupAndX_Extended_Response_Data()
             sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])

looks like a missing ChallengeLength parameter.  The following fixes (I think!)

--- impacket/smbserver.py   (revision 717)
+++ impacket/smbserver.py   (working copy)
@@ -2238,6 +2238,7 @@
                     else:
                         # TODO: Handle random challenges, now one that can be used with rainbow tables
                         _dialects_data['Challenge'] = '\x11\x22\x33\x44\x55\x66\x77\x88'
+                        _dialects_parameters['ChallengeLength'] = 8
                     _dialects_parameters['Capabilities']    = smb.SMB.CAP_USE_NT_ERRORS | smb.SMB.CAP_NT_SMBS
                     _dialects_data['Payload'] = ''

The following packet (this is TCP payload) will trigger:

0000002fff534d42720000000000000000000000000000000000000000005c0200000000000c0002
4e54204c4d20302e313200

09/06/2012 03:09:57 PM: ERROR: smbComWriteAndx: '_socketobject' object has no 
attribute 'write'

seems like:

                     sock.write(writeAndXData['Data'])

should be:

                     sock.send(writeAndXData['Data'])


line ~1480 in smbserver.py

Hi,

In the __tagToRecord method defined in ese.py line 962, record's columns are 
decoded using an encoding retrieved with 
"StringCodePages[columnRecord['CodePage']]" line 960.

However, the "StringCodePages" dict does not properly convert internal code 
page to a "intelligible" Python encoding when the code page is 1252:

# Code pages
CODEPAGE_UNICODE = 1200
CODEPAGE_ASCII   = 20127
CODEPAGE_WESTERN = 1252

StringCodePages = { 
    CODEPAGE_UNICODE : 'utf-16le', 
    CODEPAGE_ASCII   : 'ascii',
    CODEPAGE_WESTERN : 'ascii',
}

Code page 1252 must be converted to "cp1252" instead of "ascii":

    CODEPAGE_WESTERN : 'cp1252'

Otherwise, you will sometimes experiment some decoding issues like this one:

UnicodeDecodeError: 'ascii' codec can't decode byte 0xac in position 0: ordinal 
not in range(128)

What steps will reproduce the problem?
1. Download impacket-0.9.9.9.tar.gz, untar package. 
2. cd into impacket directory, run python setup install
3. run interactive python prompt
   import module: from impacket.examples import psexec

What is the expected output? What do you see instead?

>>> from impacket.examples import psexec
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: No module named examples

What version of the product are you using? On what operating system?

impacket-0.9.9.9, OS backtrack 5 and also tested on Fedora 16

Please provide any additional information below.

Attempted to include __init__.py within the examples directory. Import still 
fails. 

Was getting an exception in MSRPCHeader creation:

error: ('unpack requires a string argument of length 1', "When unpacking field 
'ver_major | B | ''[:1]'")

Looks like the structure was being initialized before the test for no data was 
performed. Flipping it around seemed to make it happy. (Not 100% sure this is 
the right solution as I'm just starting to get familiar w/ the codebase)

Index: impacket/dcerpc/dcerpc.py
===================================================================
--- impacket/dcerpc/dcerpc.py   (revision 714)
+++ impacket/dcerpc/dcerpc.py   (working copy)
@@ -270,8 +270,9 @@
     )

     def __init__(self, data = None, alignment = 0):
-        Structure.__init__(self,data, alignment)
-        if data is None:
+        if data:
+            Structure.__init__(self,data, alignment)
+        else:
             self['ver_major'] = 5
             self['ver_minor'] = 0
             self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG 

[*] Requesting shares on 192.168.148.52.....
[*] Found writable share E$
[*] Uploading file xjgawhWr.exe
[*] Opening SVCManager on 192.168.148.52.....
[*] Creating service DglE on 192.168.148.52.....
[*] Starting service DglE.....
[!] Pipe not ready, aborting
[*] Opening SVCManager on 192.168.148.52.....
[*] Stoping service DglE.....
[*] Removing service DglE.....
[*] Removing file xjgawhWr.exe.....
[!] Error performing the uninstallation, cleaning up
root@kali:~# 

The common header defined in class NTLMAuthHeader in ntlm.py is actually 
exclusive to DCE/RPC, not NTLM. So if included (see r246), DCE/RPC 
authentication with NTLM1 works, but SMB with NTLM1 doesn't. 

What steps will reproduce the problem?
print packets without __str__defined (eg. LLC)

What is the expected output? What do you see instead?
Expected was a string. :-)

File "XXXXXXXX\Python26\lib\site-packages\impacket\ImpactPacket.py", line 550, 
in __str__
    tmp_str += '\n' + self.child().__str__()
AttributeError: LLC instance has no attribute '__str__'

What version of the product are you using? On what operating system?
impacket 09.10 with python 2.6.5 on Windows 7

Please provide any additional information below.
You can use str(self.child()) instead of self.child().__str__() which will call 
the __str__ function if defined and if not no exception will be raised and at 
least a little information "<impacket.dot11.LLC instance at 0x02C9B800>" is 
displayed.

Just a suggestion :)

What steps will reproduce the problem?

1. Authenticate to read only share using smbclient.py
2. Attempt to download a file
3. Get ACCESS_DENIED error

What is the expected output? What do you see instead?

Using the native Linux tool 'smbclient' I followed the same procedure as above, 
and was able to download the file without issue.  I expected 'smbclint.py' 
(indirectly smb.py and the retr_file method) to perform identically, but it did 
not.  

The SMB source is running  Windows XP VM (so SMBv1)

What version of the product are you using? On what operating system?
February 2014: 0.9.11
The issue was reproduced on OS X 10.7.5 and Kali (Linux kali 3.12-kali1-amd64 
#1 SMP Debian 3.12.6-2kali1 (2014-01-06) x86_64 GNU/Linux) using the example 
'smbclient.py' program.

I'm not sure if this is truly a bug or not - but the behavior I noticed was 
inconsistent with the behavior of a vanilla 'smbclient' against the same host.

root@kali:~/impacket/impacket# smbclient -v -S required //localhost/TMP
Enter root's password: 
smb_signing_good: BAD SIG: seq 1
smb_signing_good: BAD SIG: seq 3
session setup failed: NT_STATUS_ACCESS_DENIED

Since impacket 0.9.10 added support for smb signing, I hoped and expected to 
see this working in smbserver.py as well.  Maybe it was started and forgotten, 
since hashlib was imported.

I am using svn checkout rev 1056.

What steps will reproduce the problem?
1. Run secretsdump.py against a remote Domain Controller targert

What is the expected output? What do you see instead?
Would like to see continued run if utf error encountered

What version of the product are you using? On what operating system?
Impacket v0.9.12
# $Id: secretsdump.py 1154 2014-03-21 14:49:10Z

Please provide any additional information below.
Here is the specific error messages:
----
[*] Dumping cached domain logon information 
(uid:encryptedHash:longDomain:domain)
...
[!] 'utf16' codec can't decode bytes in position 2-3: illegal encoding
[*] Cleaning up... 
----
[*] Dumping cached domain logon information 
(uid:encryptedHash:longDomain:domain)
...
[!] 'utf16' codec can't decode bytes in position 32-33: illegal UTF-16 surrogate
[*] Cleaning up... 
----
If there is a utf16 error of some kind, is it possible for it to continue 
reading and extracting the remaining dump?

Reported by Yann Dirson: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703784 :

in the impacket.structure.Structure doc:

 |      >       [little endian]
...
 |      <       [little endian]
 |      >       [big endian]

other typos exist:

 |      Q       [unsigned long ong (quad)]

and it includes literal \x00 in the docstring, where they should
probably have been entered as \\x00, or the docstring should have
been made a raw string.

What steps will reproduce the problem?
1.run psexec.py on a machine with python installed
2.attempt to run pyhton or a python script or some program that will ouput to 
stderr
3.Nothing is put out to the console

What is the expected output? What do you see instead?
you should be getting all output from the console indipendent of what is ran or 
how it is ran.

What version of the product are you using? On what operating system?
0.9.9.9

Please provide any additional information below.

What steps will reproduce the problem?
1.  If you modify the time outs in psexec, sometimes psexec doesn't come back 
after throwing a netbiostimeout exception and catching the exception. Of course 
because it is timing out.
2. However, Looking to  run select directly on the socket won't work because a 
packet needs to be sent in order to be able to recieve a response from the smb 
server.
3.  There is no function implimented to be able to scan a file on the smb 
server to see if the file has new data ready to read.

in short, if you are running psexec as an object instead of a stand alone 
script, threads will never be able to be collected because they will run until 
the timeout is exceeded, a very long time.

What is the expected output? What do you see instead?
There should be a function to be able to check if the remote file has data to 
be read or throwing a net bios timeout shouldn't necisarily result in a loss of 
connection..  Maybe attempting to read 0 bytes should be the norm of checking 
to see if the remote file handle has something to be read. Either way, seamless 
non blocking reads from the remote smb should be possible.
example:
            try:
                #if there is something to read read it
                #following funciont doesn't exist, but it probably should.
                if self.server.File_ready(self.tid,self.fid):
                    ans = self.server.readFile(self.tid,self.fid, 0, 1024)
                else:
                    #maybe we want to close the session and say good bye
                    #or maybe we want to continue asking if there is any
                    #thing to be read.  Either way, I should be able to
                    #ask the question
                    continue
            except Exception, e:
                import traceback
                traceback.print_exc()
                pass

What version of the product are you using? On what operating system?
0.9.10

Please provide any additional information below.

What steps will reproduce the problem?
1. command:
secretsdump.py -system c:\system -security c:\security -sam c:\sam LOCAL

2. output error:
[*] _SC_TlntSvr
[!] can only concatenate tuple (not "unicode") to tuple

3.

What is the expected output?
_SC_TlntSvr
0000   61 00 64 00 6D 00 69 00 6E 00 31 00 32 00 33 00    a.d.m.i.n.1.2.3.

PS: output from creddump-0.3\lsadump.py tool.

What version of the product are you using? On what operating system?
impacket-0.9.12
Python 2.7.8 (32 bits)
windows 2008 R2 (x64)

Due to the fact the RemComSVC was compiled used VC2010 (statically to avoid the 
need of the VC runtime) it was found this solution doesn't work on Windows 2000 
(it says the binary is not a Win32 Application).

According to http://support.microsoft.com/kb/2005279, looks like I will need to 
compile the solution with VC2008.

What steps will reproduce the problem?
1. Create a packet using ImpactPacket.IGMP()
2. Send the packet

What is the expected output? What do you see instead?
Expect an IGMP packet to be constructed, but get:

  File "/Library/Python/2.7/site-packages/impacket/ImpactPacket.py", line 1864, in calculate_checksum
    if self.__auto_checksum and (not self.get_igmp_cksum()):
AttributeError: IGMP instance has no attribute '_IGMP__auto_checksum'

What version of the product are you using? On what operating system?
svn version on OSX 10.8

Please provide any additional information below.

The patch fixing the issue is attached

While dumping the "datatable" table of an ntds.dit I get the following message.

''ascii' codec can't decode byte 0xcd in position 0: ordinal not in range(128)"

and esentutl stops short of finishing the dump afterwards. I think it's 
happening around where there are some Chinese characters in the database.

Using impacket version 0.9.12-dev from the svn

I would like to suggest a new feature. It would be nice if Impacket recognized 
IEEE 802.1Q tags and provided interface to inspect them conveniently.

Currently, ImpactPacket.Ethernet does not check for the presence of tags. If 
present, a wrong header size and EtherType are reported, which causes 
EthDecoder to overlook higher protocol layers. The user is left with an 
Ethernet instance containing an ImpactPacket.Data child.

The attached solution extends ImpactPacket.Ethernet with methods managing the 
tag stack (get, set, push, pop) and modifies load_header, get_header_size and 
get/set_ether_type accordingly. The tag getters/setters works with instances of 
EthernetTag, which provide access to the tags' fields. A unit test is included.

with a 64-bit build of python, id() results often exceed 2**32, which causes 
structure.pack to be unhappy.

Found this in the srvsvcserver code, but maybe it's elsewhere.. Here's what I 
did to fix (not bulletproof, but probably safe?):

Index: impacket/dcerpc/srvsvcserver.py
===================================================================
--- impacket/dcerpc/srvsvcserver.py (revision 714)
+++ impacket/dcerpc/srvsvcserver.py (working copy)
@@ -212,6 +212,9 @@
 import ConfigParser
 import struct

+def _get_id(o):
+  return id(o) & 0xffffffff
+
 class SRVSVCServer(DCERPCServer):
     def __init__(self):
         DCERPCServer.__init__(self)
@@ -243,9 +246,9 @@
        answer = srvsvc.SRVSVCSwitchpShareInfo2()
        answer['Level']      = 1
        answer['InfoStruct'] = srvsvc.SRVSVCShareInfo1()
-       answer['InfoStruct']['pNetName'] = id(share)
+       answer['InfoStruct']['pNetName'] = _get_id(share)
        answer['InfoStruct']['Type']     = int(share['share type'])
-       answer['InfoStruct']['pRemark']  = id(share)+1
+       answer['InfoStruct']['pRemark']  = _get_id(share)+1
        answer = str(answer)
        netName = srvsvc.NDRString()
        remark  = srvsvc.NDRString()
@@ -276,9 +279,9 @@
        answer = str(shareEnum) 
        for i in self.__shares:
           shareInfo = srvsvc.SRVSVCShareInfo1()
-          shareInfo['pNetName'] = id(i)
+          shareInfo['pNetName'] = _get_id(i)
           shareInfo['Type']     = int(self.__shares[i]['share type'])
-          shareInfo['pRemark']  = id(i)+1
+          shareInfo['pRemark']  = _get_id(i)+1
           answer += str(shareInfo)

        for i in self.__shares:

Steps need to properly handle IGMP packet:

==ImpactDecoder.py==
add at line 91:
        elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
            self.igmp_decoder = IGMPDecoder()
            packet = self.igmp_decoder.decode(aBuffer[off:])

add at line 171:
class IGMPDecoder(Decoder):
    def __init__(self):
        pass

    def decode(self, aBuffer):
        ig = ImpactPacket.IGMP(aBuffer)
        off = ig.get_header_size()
        self.data_decoder = DataDecoder()
        packet = self.data_decoder.decode(aBuffer[off:])
        ig.contains(packet)
        return ig

==ImpactPacket.py==
change line 1670:
answer = tmp_dict.get(aType, 'UNKNOWN TYPE OR VERSION ')

change line 1680:
tmp_str += 'Group: ' + socket.inet_ntoa(struct.pack('!L',self.get_igmp_group()))

Hope I haven't missed anything!

In the file: http://impacket.googlecode.com/files/impacket-0.9.9.9.tar.gz

- Impacket.spec
  - notice how the spec's name doesn't reflect the package name?
    - the case of the leading 'i'/'I' is different
  - %define version 0.9.9.0_dev
    - is not the same version as the "published" package's version (0.9.9.9)
  - %define unmangled_version 0.9.9.0-dev
    - ditto
    - additionally, since the spec is directing rpmbuild to use "{tgz_name}-%{unmangled_version}.tar.gz" (in the Source0 tag) to find the source tarball, it fails since the source is named impacket-0.9.9.9.tar.gz per the "published" version
  - License: UNKNOWN
    - should reflect the actual license of the software
  - %description
    - should provide at least a brief description of the package

All of these errors make it difficult to programmatically build your package 
with the same code that can successfully build any other properly published 
python package such as those found on http://pypi.python.org/.

The unmangled_version fubar makes it actually impossible to build the package 
at all without having to manually correct the Impact.spec file.

here's a repro payload:

00000049ff534d42730000000000000000000000000000000000000000005c02000000000dff0000
00ffff02005c02000000000000000000000000010000000b0000004d5300434c49454e5400

and here's a stack trace:

Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2332, in handle
    resp = self.__SMB.processRequest(self.__connId, p.get_trailer())
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2651, in processRequest
    packet)
  File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2177, in smbComSessionSetupAndX
    sessionSetupData.fromString(SMBCommand['Data'])
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 142, in fromString
    size = self.calcUnpackSize(field[1], data, field[0])
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 464, in calcUnpackSize
    return self.calcUnpackSize(two[0], data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 496, in calcUnpackSize
    return data.index('\x00')+1
ValueError: substring not found

Ethernet MAC addresses are normally show with a leading zero when necessary ie: 
0a:0b:0c:0d:0e:0f and not a:b:c:d:e:f.

Currently Impacket.py Ethernet.as_eth_addr returns the above.

Attached is a patch that fixes this as well as adding static calling and 
simplifies the logic

What steps will reproduce the problem?
1. Download the 0.9.9.9.9 version
2. run setup.py install
3. run samrdump.py <ip>

What is the expected output? What do you see instead?
The normal smb enumeration info are expected, but it returns:

Traceback (most recent call last):
  File "/usr/local/bin/samrdump.py", line 24, in <module>
    from impacket import uuid, version
ImportError: cannot import name version


What version of the product are you using? On what operating system?
The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3

Please provide any additional information below.

pcap showing a session that will cause the exception attached.

The pcap was captured "in the wild", no idea what the client was.

  File "/usr/local/Cellar/python/2.7.3/lib/python2.7/site-packages/impacket/smbserver.py", line 2650, in processRequest
    packet)
  File "/usr/local/Cellar/python/2.7.3/lib/python2.7/site-packages/impacket/smbserver.py", line 2063, in smbComSessionSetupAndX
    if struct.unpack('B',sessionSetupData['SecurityBlob'][0])[0] != smb.ASN1_AID:
IndexError: string index out of range

The SMBFindFileBothDirectoryInfo structure implements UnicodeStructure, which 
expects the unicode strings to be double NUL terminated.

However, the SMB_FIND_FILE_BOTH_DIRECTORY_INFO uses the FileNameLength 
parameter to determine bounds of FileName and not double NUL.

This means that SMBFindFileBothDirectoryInfo is unable to unpack the data 
correctly.

This appears to be the same for all FIND information levels.

/usr/local/lib/python2.7/dist-packages/impacket/smb.pyc in __init__(self, 
flags, **kargs)
    845         else:
    846             self.structure = self.AsciiStructure
--> 847         return Structure.__init__(self, **kargs)
    848 
    849 class SMBCommand_Parameters(Structure):

/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in __init__(self, 
data, alignment)
     82         self.rawData   = data
     83         if data is not None:
---> 84             self.fromString(data)
     85         else:
     86             self.data = None

/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in 
fromString(self, data)
    147                 dataClassOrCode = field[2]
    148             try:
--> 149                 self[field[0]] = self.unpack(field[1], data[:size], 
dataClassOrCode = dataClassOrCode, field = field[0])
    150             except Exception,e:
    151                 e.args += ("When unpacking field '%s | %s | %r[:%d]'" % (field[0], field[1], data, size),)

/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in unpack(self, 
format, data, dataClassOrCode, field)
    343         if format == 'u':
    344             if data[-2:] != '\x00\x00':
--> 345                 raise Exception, ("%s 'u' field is not NUL-NUL 
terminated: %r" % (field, data))
    346             return data[:-2] # remove trailing NUL
    347 

What steps will reproduce the problem?
1. Launch the simple_server example (with the srvsvcservice.py running)
2. Connect from an OSX machine

What is the expected output? What do you see instead?
To show the shares and connect to the target machine


The problem seems to be two fold:

1) When we answer the SMB_COM_NEGOTIATE we don't set as a capability the RPC 
Remote APIs bit. Looks like the new Mavericks SMB stack will not try to ask 
shares w/o doing it in the RPC way.. hence it will close the connection. If I 
change the smbserver.py and add that capability the connection continues

2)  When the client is asking for shares through ncacn_np the bind answer 
should respond with '\PIPE\srvsvc' instead of '135' for the Secondary Addr 
field. This should be changed at the srvsvcserver.py file.

If I change both things.. everything starts working again.. We should perform 
further tests to verify nothing else breaks.. and think whether or not this is 
the best solution.

What steps will reproduce the problem?
1. no matter what you do, psexec will always return 1 because general 
exceptions are caught at the end of the script


            if len(ans):
               retCode = RemComResponse(ans)
               print "[*] Process %s finished with ErrorCode: %d, ReturnCode: %d" % (self.__command, retCode['ErrorCode'], retCode['ReturnCode'])
            installService.uninstall()
            unInstalled = True
            sys.exit(retCode['ErrorCode'])# this throws a system exit exception

        except:#this will catch the system exit exception
            if unInstalled is False:
                installService.uninstall()
            sys.stdout.flush()
            sys.exit(1)# No matter what, 1 will be returned

This is actually a feature request.

While coding the smb_lookupsid module for patator (which does the same as 
metasploit's auxiliary/scanner/smb/smb_lookupsid module), I came up with this 
patch for impacket in order to be able to print the SID type along with the 
account name (ie. SidTypeUser, SidTypeGroup, ... cf. 
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379601%28v=vs.85%29.as
px)

Do you think you might want to add this feature?

Function strerror in smb.py references ERRBROWSE which is undefined.

When a SessionError exception is raised, if one "prints" the exception, it 
shows something like:

Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 
'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: 
ERRnoaccess(Access denied.)

If smb's unicode_convert is set to 0, a couple of "raise Except" are hit 
raising NameError, as Except is undefined.

I found your TODO note in line 760 of svcctl.py and indeed I confirm 
StartServiceW() method does not work as per definition the arguments must be 
provided, therefore I had to leave the start service to still use the old 
method:
data = self.__svc.start_service(self.__svc_handle, srvargs)

From 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686321(v=vs.85).aspx:

"[...] the first argument (lpServiceArgVectors[0]) is the name of the service, 
followed by any additional arguments (lpServiceArgVectors[1] through 
lpServiceArgVectors[dwNumServiceArgs-1])."

Latest stable version of impacket (0.9.11) has a small bug in services.py that 
causes an error when you try to pass the hash:

Impacket v0.9.11 - Copyright 2002-2014 Core Security Technologies

Traceback (most recent call last):
  File "./services.py", line 315, in <module>
    services = SVCCTL(username, password, domain, options)
  File "./services.py", line 46, in __init__
    self.__lmhash, self.__nthash = hashes.split(':')
NameError: global name 'hashes' is not defined

On line 46 in services.py:

self.__lmhash, self.__nthash = hashes.split(':')

should be:

self.__lmhash, self.__nthash = options.hashes.split(':')

Starting from MS Windows 2012R2 the lib fails with the errors:

'_smb_upload' failed with exception 'error(32, 'Broken pipe')'

The _smb_upload is our wrapper around the lib.

@contextlib.contextmanager
def smbconnect(self, smbport=139):
    smbconn = impacket.smbconnection.SMBConnection("*SMBSERVER", self.host, sess_port=smbport)
    self.log.debug("SMB connection to {} port {}".format(self.host, smbport))
    smbconn.login(self.creds.username, self.creds.password.plaintext)
    yield smbconn
    smbconn.logoff()

    with self.smbconnect(smbport) as smbconn:
        ...
        smbconn.putFile(share, upload_to_path, file_to_upload.read)


Any suggestions are appreciated.

Thank you,

Arthur

What steps will reproduce the problem?
1. use nmb.py with polling_read instead of non_polling_read

What is the expected output? What do you see instead?
The code should perform selects until the time left drops to zero or data is 
available.  Instead, it waits forever or until data is available, at least in 
some circumstances.


What version of the product are you using? On what operating system?

impacket-0.9.10.746 on FreeBSD 9.1


Please provide any additional information below.

The code currently looks like this:

            try:
                ready, _, _ = select.select([self._sock.fileno() ], [ ], [ ], 0)

                print 'polling_read: time left', time_left   #  Added for debugging
                if not ready:
                    if time_left == 0:
                        raise NetBIOSTimeout

I believe the "time_left == 0" should be changed to "time_left <= 0"

Here's output with the debug message in place:

$ ./test.py
polling_read: time left 0.5  ready: []
polling_read: time left 0.475  ready: [6]
polling_read: time left 0.5  ready: [6]
polling_read: time left 0.5  ready: []
polling_read: time left 0.475  ready: []
polling_read: time left 0.45  ready: []
polling_read: time left 0.425  ready: [6]
polling_read: time left 0.5  ready: [6]
polling_read: time left 0.5  ready: []
polling_read: time left 0.475  ready: [6]
polling_read: time left 0.5  ready: [6]
polling_read: time left 0.5  ready: []
polling_read: time left 0.475  ready: []
polling_read: time left 0.45  ready: []
polling_read: time left 0.425  ready: []
polling_read: time left 0.4  ready: []
polling_read: time left 0.375  ready: []
polling_read: time left 0.35  ready: []
polling_read: time left 0.325  ready: []
polling_read: time left 0.3  ready: []
polling_read: time left 0.275  ready: []
polling_read: time left 0.25  ready: []
polling_read: time left 0.225  ready: []
polling_read: time left 0.2  ready: []
polling_read: time left 0.175  ready: []
polling_read: time left 0.15  ready: []
polling_read: time left 0.125  ready: []
polling_read: time left 0.1  ready: []
polling_read: time left 0.075  ready: []
polling_read: time left 0.05  ready: []
polling_read: time left 0.025  ready: []
polling_read: time left -1.5959455979e-16  ready: []
polling_read: time left -0.025  ready: []
polling_read: time left -0.05  ready: []
polling_read: time left -0.075  ready: []
polling_read: time left -0.1  ready: []
polling_read: time left -0.125  ready: []
  .  .  .

So the timer heads toward zero but due to float rounding it never hits exactly 
zero.  As written, the code also seems to require the timeout to be an exactly 
multiple of the CHUNK_TIME (0.025).

What steps will reproduce the problem?
1. Download 0.9.10 tgz
2. python setup.py install
3. python psexec.py USER:PASSWORD@IP cmd.exe


What is the expected output?

cmd.exe prompt

What do you see instead?

Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies

Trying protocol 445/SMB...

Traceback (most recent call last):
  File "psexec.py", line 428, in <module>
    executer.run(address)
  File "psexec.py", line 96, in run
    self.doStuff(rpctransport)
  File "psexec.py", line 120, in doStuff
    dce = rpctransport.get_dce_rpc()
AttributeError: SMBTransport instance has no attribute 'get_dce_rpc'


What version of the product are you using? On what operating system?

Impacket 0.9.10
Fedora 19 64bit


Please provide any additional information below.

I tested with python and python3 without luck. Installation went OK.

I'm trying to run one simple ICMP Spoofing (attached) but i'm getting:

Traceback (most recent call last):
  File "main.py", line 26, in <module>
    icmp.contains(ImpactPacket.Data("a"*100))
  File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 485, in __init__
    self.set_data(aBuffer)
  File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 488, in set_data
    self.set_bytes_from_string(data)
  File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 59, in set_bytes_from_string
    self.__bytes = array.array('B', data)
TypeError: an integer is required

Thank you.

What steps will reproduce the problem?
1. Have a w2k with Administrator password
2. Run secrets dump against that host.

What is the expected output? What do you see instead?

To dump the target secrets.

What happens?
it does not.. and dumps the following error:
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x4accc2a5af48818b826ab78d68bbe12f
[+] Checking NoLMHash Policy
[!] RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system
cannot find the file specified.
[*] Cleaning up...

Impacket will get stuck in an infinite loop while processing TCP Options if 
op_len is less than 2.

Attached is a fix that handles this case.

What steps will reproduce the problem?
1. Try to run wmiexec.py w/ Python 2.6 using ordereddict installed via pip on 
Debian 7 x64

# pip install ordereddict
Downloading/unpacking ordereddict
  Downloading ordereddict-1.1.tar.gz
  Running setup.py egg_info for package ordereddict
Installing collected packages: ordereddict
  Running setup.py install for ordereddict
Successfully installed ordereddict
Cleaning up...

What is the expected output? What do you see instead?

Expected:

Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies

Password:
SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>

Saw:

./wmiexec.py [email protected]
Traceback (most recent call last):
  File "./wmiexec.py", line 34, in <module>
    from impacket.dcerpc.v5.dcom import wmi
  File "/usr/local/lib/python2.6/dist-packages/impacket/dcerpc/v5/dcom/wmi.py", line 51, in <module>
    from ordereddict.ordereddict import OrderedDict
ImportError: No module named ordereddict


What version of the product are you using? On what operating system?

Trunk

Please provide any additional information below.

Fix was to change:
   python2.6/dist-packages/impacket/dcerpc/v5/dcom/wmi.py

Line: 51
from:
    from ordereddict.ordereddict import OrderedDict
to:
    from ordereddict import OrderedDict

SMB's copy method seems to create a 0 bytes destination file, due to a zero 
file size in the "Open AndX response". retr_file method already solves this 
issuing a call to query_file_info method to get the actual size (though even 
with that added, there is an undeclared variable further down the line).