fortra / impacket Goto Github PK
View Code? Open in Web Editor NEWImpacket is a collection of Python classes for working with network protocols.
Home Page: https://www.coresecurity.com
License: Other
Impacket is a collection of Python classes for working with network protocols.
Home Page: https://www.coresecurity.com
License: Other
What steps will reproduce the problem?
1. Launch the simple_server example (with the srvsvcservice.py running)
2. Connect from an OSX machine
What is the expected output? What do you see instead?
To show the shares and connect to the target machine
The problem seems to be two fold:
1) When we answer the SMB_COM_NEGOTIATE we don't set as a capability the RPC
Remote APIs bit. Looks like the new Mavericks SMB stack will not try to ask
shares w/o doing it in the RPC way.. hence it will close the connection. If I
change the smbserver.py and add that capability the connection continues
2) When the client is asking for shares through ncacn_np the bind answer
should respond with '\PIPE\srvsvc' instead of '135' for the Secondary Addr
field. This should be changed at the srvsvcserver.py file.
If I change both things.. everything starts working again.. We should perform
further tests to verify nothing else breaks.. and think whether or not this is
the best solution.
Original issue reported on code.google.com by [email protected]
on 7 Jun 2014 at 9:19
09/06/2012 03:09:57 PM: ERROR: smbComWriteAndx: '_socketobject' object has no
attribute 'write'
seems like:
sock.write(writeAndXData['Data'])
should be:
sock.send(writeAndXData['Data'])
line ~1480 in smbserver.py
Original issue reported on code.google.com by [email protected]
on 6 Sep 2012 at 10:38
[*] Requesting shares on 192.168.148.52.....
[*] Found writable share E$
[*] Uploading file xjgawhWr.exe
[*] Opening SVCManager on 192.168.148.52.....
[*] Creating service DglE on 192.168.148.52.....
[*] Starting service DglE.....
[!] Pipe not ready, aborting
[*] Opening SVCManager on 192.168.148.52.....
[*] Stoping service DglE.....
[*] Removing service DglE.....
[*] Removing file xjgawhWr.exe.....
[!] Error performing the uninstallation, cleaning up
root@kali:~#
Original issue reported on code.google.com by [email protected]
on 21 Aug 2013 at 4:59
What steps will reproduce the problem?
1. from client do "dir \\ip_attack\c$"
2. on attack machine "smbrelayx.py -h ip_DC -e payload.exe"
3.
What is the expected output? What do you see instead?
should execute payload and return to the listener a shell from the DC but
instead;
[*] HTTPD: Received connection from 192.168.246.205, attacking target
192.168.246.207
[*] SMBD: Received connection from 192.168.246.205, attacking target
192.168.246.207
[*] Authenticating against 192.168.246.207 as HACK\Administrator SUCCEED
[*] Requesting shares on 192.168.246.207.....
[!] Error requesting shares on 192.168.246.207, aborting.....
[!] Error performing the installation, cleaning up: SMB SessionError: class:
ERRNT, code: STATUS_ACCESS_DENIED(Access is denied.)
[*] Service Installed.. CONNECT!
[*] Opening SVCManager on 192.168.246.207.....
[!] Error performing the uninstallation, cleaning up
What version of the product are you using? On what operating system?
AD domain 2008r2(with a share) with win7x64sp1 client all full updated
attack machine kalix64
Please provide any additional information below.
i can use psexec.py with or without hashes and get a shell with the same domain
account Administrator.
Original issue reported on code.google.com by [email protected]
on 10 Dec 2013 at 4:57
here's a repro payload:
00000049ff534d42730000000000000000000000000000000000000000005c02000000000dff0000
00ffff02005c02000000000000000000000000010000000b0000004d5300434c49454e5400
and here's a stack trace:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2332, in handle
resp = self.__SMB.processRequest(self.__connId, p.get_trailer())
File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2651, in processRequest
packet)
File "/usr/local/lib/python2.7/dist-packages/impacket/smbserver.py", line 2177, in smbComSessionSetupAndX
sessionSetupData.fromString(SMBCommand['Data'])
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 142, in fromString
size = self.calcUnpackSize(field[1], data, field[0])
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 464, in calcUnpackSize
return self.calcUnpackSize(two[0], data)
File "/usr/local/lib/python2.7/dist-packages/impacket/structure.py", line 496, in calcUnpackSize
return data.index('\x00')+1
ValueError: substring not found
Original issue reported on code.google.com by [email protected]
on 13 Sep 2012 at 10:08
Reported by Yann Dirson:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703784 :
in the impacket.structure.Structure doc:
| > [little endian]
...
| < [little endian]
| > [big endian]
other typos exist:
| Q [unsigned long ong (quad)]
and it includes literal \x00 in the docstring, where they should
probably have been entered as \\x00, or the docstring should have
been made a raw string.
Original issue reported on code.google.com by [email protected]
on 28 May 2013 at 1:49
I would like to suggest a new feature. It would be nice if Impacket recognized
IEEE 802.1Q tags and provided interface to inspect them conveniently.
Currently, ImpactPacket.Ethernet does not check for the presence of tags. If
present, a wrong header size and EtherType are reported, which causes
EthDecoder to overlook higher protocol layers. The user is left with an
Ethernet instance containing an ImpactPacket.Data child.
The attached solution extends ImpactPacket.Ethernet with methods managing the
tag stack (get, set, push, pop) and modifies load_header, get_header_size and
get/set_ether_type accordingly. The tag getters/setters works with instances of
EthernetTag, which provide access to the tags' fields. A unit test is included.
Original issue reported on code.google.com by [email protected]
on 12 May 2013 at 4:55
Attachments:
Steps need to properly handle IGMP packet:
==ImpactDecoder.py==
add at line 91:
elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
self.igmp_decoder = IGMPDecoder()
packet = self.igmp_decoder.decode(aBuffer[off:])
add at line 171:
class IGMPDecoder(Decoder):
def __init__(self):
pass
def decode(self, aBuffer):
ig = ImpactPacket.IGMP(aBuffer)
off = ig.get_header_size()
self.data_decoder = DataDecoder()
packet = self.data_decoder.decode(aBuffer[off:])
ig.contains(packet)
return ig
==ImpactPacket.py==
change line 1670:
answer = tmp_dict.get(aType, 'UNKNOWN TYPE OR VERSION ')
change line 1680:
tmp_str += 'Group: ' + socket.inet_ntoa(struct.pack('!L',self.get_igmp_group()))
Hope I haven't missed anything!
Original issue reported on code.google.com by [email protected]
on 1 Jul 2013 at 3:26
I'm trying to run one simple ICMP Spoofing (attached) but i'm getting:
Traceback (most recent call last):
File "main.py", line 26, in <module>
icmp.contains(ImpactPacket.Data("a"*100))
File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 485, in __init__
self.set_data(aBuffer)
File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 488, in set_data
self.set_bytes_from_string(data)
File "/usr/local/lib/python2.7/dist-packages/impacket/ImpactPacket.py", line 59, in set_bytes_from_string
self.__bytes = array.array('B', data)
TypeError: an integer is required
Thank you.
Original issue reported on code.google.com by [email protected]
on 26 Mar 2014 at 1:02
Attachments:
While dumping the "datatable" table of an ntds.dit I get the following message.
''ascii' codec can't decode byte 0xcd in position 0: ordinal not in range(128)"
and esentutl stops short of finishing the dump afterwards. I think it's
happening around where there are some Chinese characters in the database.
Using impacket version 0.9.12-dev from the svn
Original issue reported on code.google.com by [email protected]
on 22 May 2014 at 2:44
looks like a missing ChallengeLength parameter. The following fixes (I think!)
--- impacket/smbserver.py (revision 717)
+++ impacket/smbserver.py (working copy)
@@ -2238,6 +2238,7 @@
else:
# TODO: Handle random challenges, now one that can be used with rainbow tables
_dialects_data['Challenge'] = '\x11\x22\x33\x44\x55\x66\x77\x88'
+ _dialects_parameters['ChallengeLength'] = 8
_dialects_parameters['Capabilities'] = smb.SMB.CAP_USE_NT_ERRORS | smb.SMB.CAP_NT_SMBS
_dialects_data['Payload'] = ''
The following packet (this is TCP payload) will trigger:
0000002fff534d42720000000000000000000000000000000000000000005c0200000000000c0002
4e54204c4d20302e313200
Original issue reported on code.google.com by [email protected]
on 13 Sep 2012 at 9:58
Was getting an exception in MSRPCHeader creation:
error: ('unpack requires a string argument of length 1', "When unpacking field
'ver_major | B | ''[:1]'")
Looks like the structure was being initialized before the test for no data was
performed. Flipping it around seemed to make it happy. (Not 100% sure this is
the right solution as I'm just starting to get familiar w/ the codebase)
Index: impacket/dcerpc/dcerpc.py
===================================================================
--- impacket/dcerpc/dcerpc.py (revision 714)
+++ impacket/dcerpc/dcerpc.py (working copy)
@@ -270,8 +270,9 @@
)
def __init__(self, data = None, alignment = 0):
- Structure.__init__(self,data, alignment)
- if data is None:
+ if data:
+ Structure.__init__(self,data, alignment)
+ else:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
Original issue reported on code.google.com by [email protected]
on 10 Sep 2012 at 6:15
What steps will reproduce the problem?
1. Create a packet using ImpactPacket.IGMP()
2. Send the packet
What is the expected output? What do you see instead?
Expect an IGMP packet to be constructed, but get:
File "/Library/Python/2.7/site-packages/impacket/ImpactPacket.py", line 1864, in calculate_checksum
if self.__auto_checksum and (not self.get_igmp_cksum()):
AttributeError: IGMP instance has no attribute '_IGMP__auto_checksum'
What version of the product are you using? On what operating system?
svn version on OSX 10.8
Please provide any additional information below.
The patch fixing the issue is attached
Original issue reported on code.google.com by [email protected]
on 20 Oct 2012 at 12:01
Attachments:
the problem seems to be that metasploit advertises extended security
capabilities in the protocol negotiation packet, but not in the session setup
packet. impacket relies on the negotiation packet to determine capabilities,
and throws an exception trying to parse the non-existent security blob.
This patch resolves the issue by consulting the setup packet instead of the
cached negotiation packet:
===================================================================
--- impacket/smbserver.py (revision 706)
+++ impacket/smbserver.py (working copy)
@@ -2049,8 +2049,10 @@
respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
- if connData['_dialects_parameters']['Capabilities'] &
smb.SMB.CAP_EXTENDED_SECURITY:
- # Extended security. Here we deal with all SPNEGO stuff
+ #if connData['_dialects_parameters']['Capabilities'] &
smb.SMB.CAP_EXTENDED_SECURITY:
+ sessionSetupParameters =
smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])
+ if sessionSetupParameters['Capabilities'] &
smb.SMB.CAP_EXTENDED_SECURITY:
+ # Extended security. Here we deal with all SPNEGO stuff
respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters()
respData = smb.SMBSessionSetupAndX_Extended_Response_Data()
sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters'])
Original issue reported on code.google.com by [email protected]
on 6 Sep 2012 at 12:59
What steps will reproduce the problem?
1. Run secretsdump.py against a remote Domain Controller targert
What is the expected output? What do you see instead?
Would like to see continued run if utf error encountered
What version of the product are you using? On what operating system?
Impacket v0.9.12
# $Id: secretsdump.py 1154 2014-03-21 14:49:10Z
Please provide any additional information below.
Here is the specific error messages:
----
[*] Dumping cached domain logon information
(uid:encryptedHash:longDomain:domain)
...
[!] 'utf16' codec can't decode bytes in position 2-3: illegal encoding
[*] Cleaning up...
----
[*] Dumping cached domain logon information
(uid:encryptedHash:longDomain:domain)
...
[!] 'utf16' codec can't decode bytes in position 32-33: illegal UTF-16 surrogate
[*] Cleaning up...
----
If there is a utf16 error of some kind, is it possible for it to continue
reading and extracting the remaining dump?
Original issue reported on code.google.com by [email protected]
on 3 Sep 2014 at 3:08
Ethernet MAC addresses are normally show with a leading zero when necessary ie:
0a:0b:0c:0d:0e:0f and not a:b:c:d:e:f.
Currently Impacket.py Ethernet.as_eth_addr returns the above.
Attached is a patch that fixes this as well as adding static calling and
simplifies the logic
Original issue reported on code.google.com by [email protected]
on 27 Feb 2012 at 2:05
Attachments:
What steps will reproduce the problem?
1. If you modify the time outs in psexec, sometimes psexec doesn't come back
after throwing a netbiostimeout exception and catching the exception. Of course
because it is timing out.
2. However, Looking to run select directly on the socket won't work because a
packet needs to be sent in order to be able to recieve a response from the smb
server.
3. There is no function implimented to be able to scan a file on the smb
server to see if the file has new data ready to read.
in short, if you are running psexec as an object instead of a stand alone
script, threads will never be able to be collected because they will run until
the timeout is exceeded, a very long time.
What is the expected output? What do you see instead?
There should be a function to be able to check if the remote file has data to
be read or throwing a net bios timeout shouldn't necisarily result in a loss of
connection.. Maybe attempting to read 0 bytes should be the norm of checking
to see if the remote file handle has something to be read. Either way, seamless
non blocking reads from the remote smb should be possible.
example:
try:
#if there is something to read read it
#following funciont doesn't exist, but it probably should.
if self.server.File_ready(self.tid,self.fid):
ans = self.server.readFile(self.tid,self.fid, 0, 1024)
else:
#maybe we want to close the session and say good bye
#or maybe we want to continue asking if there is any
#thing to be read. Either way, I should be able to
#ask the question
continue
except Exception, e:
import traceback
traceback.print_exc()
pass
What version of the product are you using? On what operating system?
0.9.10
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 7 Jun 2013 at 6:22
What steps will reproduce the problem?
1.run psexec.py on a machine with python installed
2.attempt to run pyhton or a python script or some program that will ouput to
stderr
3.Nothing is put out to the console
What is the expected output? What do you see instead?
you should be getting all output from the console indipendent of what is ran or
how it is ran.
What version of the product are you using? On what operating system?
0.9.9.9
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 16 May 2013 at 12:41
The SMBFindFileBothDirectoryInfo structure implements UnicodeStructure, which
expects the unicode strings to be double NUL terminated.
However, the SMB_FIND_FILE_BOTH_DIRECTORY_INFO uses the FileNameLength
parameter to determine bounds of FileName and not double NUL.
This means that SMBFindFileBothDirectoryInfo is unable to unpack the data
correctly.
This appears to be the same for all FIND information levels.
/usr/local/lib/python2.7/dist-packages/impacket/smb.pyc in __init__(self,
flags, **kargs)
845 else:
846 self.structure = self.AsciiStructure
--> 847 return Structure.__init__(self, **kargs)
848
849 class SMBCommand_Parameters(Structure):
/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in __init__(self,
data, alignment)
82 self.rawData = data
83 if data is not None:
---> 84 self.fromString(data)
85 else:
86 self.data = None
/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in
fromString(self, data)
147 dataClassOrCode = field[2]
148 try:
--> 149 self[field[0]] = self.unpack(field[1], data[:size],
dataClassOrCode = dataClassOrCode, field = field[0])
150 except Exception,e:
151 e.args += ("When unpacking field '%s | %s | %r[:%d]'" % (field[0], field[1], data, size),)
/usr/local/lib/python2.7/dist-packages/impacket/structure.pyc in unpack(self,
format, data, dataClassOrCode, field)
343 if format == 'u':
344 if data[-2:] != '\x00\x00':
--> 345 raise Exception, ("%s 'u' field is not NUL-NUL
terminated: %r" % (field, data))
346 return data[:-2] # remove trailing NUL
347
Original issue reported on code.google.com by [email protected]
on 24 Aug 2014 at 10:57
What steps will reproduce the problem?
1. Download the 0.9.9.9.9 version
2. run setup.py install
3. run samrdump.py <ip>
What is the expected output? What do you see instead?
The normal smb enumeration info are expected, but it returns:
Traceback (most recent call last):
File "/usr/local/bin/samrdump.py", line 24, in <module>
from impacket import uuid, version
ImportError: cannot import name version
What version of the product are you using? On what operating system?
The last one (impacket-0.9.9.9.tar.gz) - Linux Backtrack 5r3
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 18 Jan 2013 at 1:57
What steps will reproduce the problem?
1. Download impacket-0.9.9.9.tar.gz, untar package.
2. cd into impacket directory, run python setup install
3. run interactive python prompt
import module: from impacket.examples import psexec
What is the expected output? What do you see instead?
>>> from impacket.examples import psexec
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named examples
What version of the product are you using? On what operating system?
impacket-0.9.9.9, OS backtrack 5 and also tested on Fedora 16
Please provide any additional information below.
Attempted to include __init__.py within the examples directory. Import still
fails.
Original issue reported on code.google.com by [email protected]
on 30 Apr 2013 at 2:03
What steps will reproduce the problem?
dot11 module assuments that 802.11 elements have ordered ids. When search for
an element using _find_element() it will stop searching after it found an
element with an id larger that the one to be found.
IDs don't have to be ordered (Mac-OSX association request has first the
ext-supported-rates (id : 50) and then the ht-capability element (id:45).
Trying to find the ht-capability element (using _get_element(45)) returns None
even though there is such an element.
What is the expected output? What do you see instead?
You'd expect to be able to parse the unordered elements, which is not the case.
What version of the product are you using? On what operating system?
trunk (revision 805)
Please provide any additional information below.
Attached a diff that removes the redundant check-skip.
Original issue reported on code.google.com by [email protected]
on 9 Oct 2013 at 10:35
Attachments:
This patch will also dump password history hashes. Output will look like this:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:27272719c2d1d2bb8d74d039a81f0
e49:::
Administrator_history0:500:43a6ed35a36f74e27eab299ffc718400:27272719c2d1d2bb8d74
d039a81f0e49:::
Administrator_history1:500:99edd16fb222f96a1d65d9a46ae841e5:a881324bad161293dedc
71817988d944:::
Administrator_history2:500:20bfe873abe902924cb257ea8beb22da:97f94ef9c49c0b2043d4
de224e1427e9:::
Administrator_history3:500:d456e6c39078198bcc5f58d2377c48ff:a881324bad161293dedc
71817988d944:::
WIN-LEK1BKKKKD8$:1003:aad3b435b51404eeaad3b435b51404ee:02e5b61204e2e970ceb6410b0
6648c25:::
WIN-LEK1BKKKKD8$_history0:1003:4ea35f0be7da7db8940146b02a77e793:02e5b61204e2e970
ceb6410b06648c25:::
WIN-LEK1BKKKKD8$_history1:1003::a44cf5558e85cb1c3f24b5fa90fdda30:::
It was tested successfully with r942 + this patch against Windows 2008 R2 SP1
domain controller.
Cheers
Original issue reported on code.google.com by [email protected]
on 22 Nov 2013 at 6:27
Attachments:
What steps will reproduce the problem?
1. no matter what you do, psexec will always return 1 because general
exceptions are caught at the end of the script
if len(ans):
retCode = RemComResponse(ans)
print "[*] Process %s finished with ErrorCode: %d, ReturnCode: %d" % (self.__command, retCode['ErrorCode'], retCode['ReturnCode'])
installService.uninstall()
unInstalled = True
sys.exit(retCode['ErrorCode'])# this throws a system exit exception
except:#this will catch the system exit exception
if unInstalled is False:
installService.uninstall()
sys.stdout.flush()
sys.exit(1)# No matter what, 1 will be returned
Original issue reported on code.google.com by [email protected]
on 18 Jun 2013 at 5:59
As Simple as that..
In particular useful for two reasons:
1) Newer OSX clients would reject the connection if Unicode is not supported
2) Foreing language letters are not properly shown right now.
Original issue reported on code.google.com by [email protected]
on 11 Sep 2012 at 4:33
In the file: http://impacket.googlecode.com/files/impacket-0.9.9.9.tar.gz
- Impacket.spec
- notice how the spec's name doesn't reflect the package name?
- the case of the leading 'i'/'I' is different
- %define version 0.9.9.0_dev
- is not the same version as the "published" package's version (0.9.9.9)
- %define unmangled_version 0.9.9.0-dev
- ditto
- additionally, since the spec is directing rpmbuild to use "{tgz_name}-%{unmangled_version}.tar.gz" (in the Source0 tag) to find the source tarball, it fails since the source is named impacket-0.9.9.9.tar.gz per the "published" version
- License: UNKNOWN
- should reflect the actual license of the software
- %description
- should provide at least a brief description of the package
All of these errors make it difficult to programmatically build your package
with the same code that can successfully build any other properly published
python package such as those found on http://pypi.python.org/.
The unmangled_version fubar makes it actually impossible to build the package
at all without having to manually correct the Impact.spec file.
Original issue reported on code.google.com by [email protected]
on 3 Jan 2013 at 10:06
What steps will reproduce the problem?
1. Try to run wmiexec.py w/ Python 2.6 using ordereddict installed via pip on
Debian 7 x64
# pip install ordereddict
Downloading/unpacking ordereddict
Downloading ordereddict-1.1.tar.gz
Running setup.py egg_info for package ordereddict
Installing collected packages: ordereddict
Running setup.py install for ordereddict
Successfully installed ordereddict
Cleaning up...
What is the expected output? What do you see instead?
Expected:
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies
Password:
SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>
Saw:
./wmiexec.py [email protected]
Traceback (most recent call last):
File "./wmiexec.py", line 34, in <module>
from impacket.dcerpc.v5.dcom import wmi
File "/usr/local/lib/python2.6/dist-packages/impacket/dcerpc/v5/dcom/wmi.py", line 51, in <module>
from ordereddict.ordereddict import OrderedDict
ImportError: No module named ordereddict
What version of the product are you using? On what operating system?
Trunk
Please provide any additional information below.
Fix was to change:
python2.6/dist-packages/impacket/dcerpc/v5/dcom/wmi.py
Line: 51
from:
from ordereddict.ordereddict import OrderedDict
to:
from ordereddict import OrderedDict
Original issue reported on code.google.com by [email protected]
on 16 Apr 2014 at 7:54
I found your TODO note in line 760 of svcctl.py and indeed I confirm
StartServiceW() method does not work as per definition the arguments must be
provided, therefore I had to leave the start service to still use the old
method:
data = self.__svc.start_service(self.__svc_handle, srvargs)
From
http://msdn.microsoft.com/en-us/library/windows/desktop/ms686321(v=vs.85).aspx:
"[...] the first argument (lpServiceArgVectors[0]) is the name of the service,
followed by any additional arguments (lpServiceArgVectors[1] through
lpServiceArgVectors[dwNumServiceArgs-1])."
Original issue reported on code.google.com by bernardo.damele
on 18 Jan 2012 at 2:27
Hi,
In the __tagToRecord method defined in ese.py line 962, record's columns are
decoded using an encoding retrieved with
"StringCodePages[columnRecord['CodePage']]" line 960.
However, the "StringCodePages" dict does not properly convert internal code
page to a "intelligible" Python encoding when the code page is 1252:
# Code pages
CODEPAGE_UNICODE = 1200
CODEPAGE_ASCII = 20127
CODEPAGE_WESTERN = 1252
StringCodePages = {
CODEPAGE_UNICODE : 'utf-16le',
CODEPAGE_ASCII : 'ascii',
CODEPAGE_WESTERN : 'ascii',
}
Code page 1252 must be converted to "cp1252" instead of "ascii":
CODEPAGE_WESTERN : 'cp1252'
Otherwise, you will sometimes experiment some decoding issues like this one:
UnicodeDecodeError: 'ascii' codec can't decode byte 0xac in position 0: ordinal
not in range(128)
Original issue reported on code.google.com by [email protected]
on 26 Aug 2014 at 4:32
Due to the fact the RemComSVC was compiled used VC2010 (statically to avoid the
need of the VC runtime) it was found this solution doesn't work on Windows 2000
(it says the binary is not a Win32 Application).
According to http://support.microsoft.com/kb/2005279, looks like I will need to
compile the solution with VC2008.
Original issue reported on code.google.com by [email protected]
on 7 Aug 2012 at 10:33
What steps will reproduce the problem?
1. Get a WinXP (e.g. SP2) and have the Administrator password
2. run secretsdump.py against that host
What is the expected output? What do you see instead?
To dump the target's secrets
Result:
It does not, it dumps the following error:
[*] Target system bootKey: 0x
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[!] hashedBootKey CheckSum failed!
[*] Cleaning up...
Original issue reported on code.google.com by [email protected]
on 26 Feb 2014 at 4:18
What steps will reproduce the problem?
1. Download 0.9.10 tgz
2. python setup.py install
3. python psexec.py USER:PASSWORD@IP cmd.exe
What is the expected output?
cmd.exe prompt
What do you see instead?
Impacket v0.9.10 - Copyright 2002-2013 Core Security Technologies
Trying protocol 445/SMB...
Traceback (most recent call last):
File "psexec.py", line 428, in <module>
executer.run(address)
File "psexec.py", line 96, in run
self.doStuff(rpctransport)
File "psexec.py", line 120, in doStuff
dce = rpctransport.get_dce_rpc()
AttributeError: SMBTransport instance has no attribute 'get_dce_rpc'
What version of the product are you using? On what operating system?
Impacket 0.9.10
Fedora 19 64bit
Please provide any additional information below.
I tested with python and python3 without luck. Installation went OK.
Original issue reported on code.google.com by sebastian.treu
on 12 Jan 2014 at 5:58
pcap showing a session that will cause the exception attached.
The pcap was captured "in the wild", no idea what the client was.
File "/usr/local/Cellar/python/2.7.3/lib/python2.7/site-packages/impacket/smbserver.py", line 2650, in processRequest
packet)
File "/usr/local/Cellar/python/2.7.3/lib/python2.7/site-packages/impacket/smbserver.py", line 2063, in smbComSessionSetupAndX
if struct.unpack('B',sessionSetupData['SecurityBlob'][0])[0] != smb.ASN1_AID:
IndexError: string index out of range
Original issue reported on code.google.com by [email protected]
on 19 Sep 2012 at 6:41
Attachments:
What steps will reproduce the problem?
print packets without __str__defined (eg. LLC)
What is the expected output? What do you see instead?
Expected was a string. :-)
File "XXXXXXXX\Python26\lib\site-packages\impacket\ImpactPacket.py", line 550,
in __str__
tmp_str += '\n' + self.child().__str__()
AttributeError: LLC instance has no attribute '__str__'
What version of the product are you using? On what operating system?
impacket 09.10 with python 2.6.5 on Windows 7
Please provide any additional information below.
You can use str(self.child()) instead of self.child().__str__() which will call
the __str__ function if defined and if not no exception will be raised and at
least a little information "<impacket.dot11.LLC instance at 0x02C9B800>" is
displayed.
Original issue reported on code.google.com by [email protected]
on 19 Sep 2013 at 7:36
with a 64-bit build of python, id() results often exceed 2**32, which causes
structure.pack to be unhappy.
Found this in the srvsvcserver code, but maybe it's elsewhere.. Here's what I
did to fix (not bulletproof, but probably safe?):
Index: impacket/dcerpc/srvsvcserver.py
===================================================================
--- impacket/dcerpc/srvsvcserver.py (revision 714)
+++ impacket/dcerpc/srvsvcserver.py (working copy)
@@ -212,6 +212,9 @@
import ConfigParser
import struct
+def _get_id(o):
+ return id(o) & 0xffffffff
+
class SRVSVCServer(DCERPCServer):
def __init__(self):
DCERPCServer.__init__(self)
@@ -243,9 +246,9 @@
answer = srvsvc.SRVSVCSwitchpShareInfo2()
answer['Level'] = 1
answer['InfoStruct'] = srvsvc.SRVSVCShareInfo1()
- answer['InfoStruct']['pNetName'] = id(share)
+ answer['InfoStruct']['pNetName'] = _get_id(share)
answer['InfoStruct']['Type'] = int(share['share type'])
- answer['InfoStruct']['pRemark'] = id(share)+1
+ answer['InfoStruct']['pRemark'] = _get_id(share)+1
answer = str(answer)
netName = srvsvc.NDRString()
remark = srvsvc.NDRString()
@@ -276,9 +279,9 @@
answer = str(shareEnum)
for i in self.__shares:
shareInfo = srvsvc.SRVSVCShareInfo1()
- shareInfo['pNetName'] = id(i)
+ shareInfo['pNetName'] = _get_id(i)
shareInfo['Type'] = int(self.__shares[i]['share type'])
- shareInfo['pRemark'] = id(i)+1
+ shareInfo['pRemark'] = _get_id(i)+1
answer += str(shareInfo)
for i in self.__shares:
Original issue reported on code.google.com by [email protected]
on 10 Sep 2012 at 5:14
SMB's copy method seems to create a 0 bytes destination file, due to a zero
file size in the "Open AndX response". retr_file method already solves this
issuing a call to query_file_info method to get the actual size (though even
with that added, there is an undeclared variable further down the line).
Original issue reported on code.google.com by jigermano
on 2 Feb 2011 at 8:59
Just a suggestion :)
Original issue reported on code.google.com by [email protected]
on 24 Apr 2010 at 11:08
Impacket will get stuck in an infinite loop while processing TCP Options if
op_len is less than 2.
Attached is a fix that handles this case.
Original issue reported on code.google.com by [email protected]
on 13 Sep 2011 at 4:23
Attachments:
What steps will reproduce the problem?
1. Authenticate to read only share using smbclient.py
2. Attempt to download a file
3. Get ACCESS_DENIED error
What is the expected output? What do you see instead?
Using the native Linux tool 'smbclient' I followed the same procedure as above,
and was able to download the file without issue. I expected 'smbclint.py'
(indirectly smb.py and the retr_file method) to perform identically, but it did
not.
The SMB source is running Windows XP VM (so SMBv1)
What version of the product are you using? On what operating system?
February 2014: 0.9.11
The issue was reproduced on OS X 10.7.5 and Kali (Linux kali 3.12-kali1-amd64
#1 SMP Debian 3.12.6-2kali1 (2014-01-06) x86_64 GNU/Linux) using the example
'smbclient.py' program.
I'm not sure if this is truly a bug or not - but the behavior I noticed was
inconsistent with the behavior of a vanilla 'smbclient' against the same host.
Original issue reported on code.google.com by [email protected]
on 5 Jun 2014 at 8:16
Starting from MS Windows 2012R2 the lib fails with the errors:
'_smb_upload' failed with exception 'error(32, 'Broken pipe')'
The _smb_upload is our wrapper around the lib.
@contextlib.contextmanager
def smbconnect(self, smbport=139):
smbconn = impacket.smbconnection.SMBConnection("*SMBSERVER", self.host, sess_port=smbport)
self.log.debug("SMB connection to {} port {}".format(self.host, smbport))
smbconn.login(self.creds.username, self.creds.password.plaintext)
yield smbconn
smbconn.logoff()
with self.smbconnect(smbport) as smbconn:
...
smbconn.putFile(share, upload_to_path, file_to_upload.read)
Any suggestions are appreciated.
Thank you,
Arthur
Original issue reported on code.google.com by [email protected]
on 29 Jul 2014 at 6:46
Latest stable version of impacket (0.9.11) has a small bug in services.py that
causes an error when you try to pass the hash:
Impacket v0.9.11 - Copyright 2002-2014 Core Security Technologies
Traceback (most recent call last):
File "./services.py", line 315, in <module>
services = SVCCTL(username, password, domain, options)
File "./services.py", line 46, in __init__
self.__lmhash, self.__nthash = hashes.split(':')
NameError: global name 'hashes' is not defined
On line 46 in services.py:
self.__lmhash, self.__nthash = hashes.split(':')
should be:
self.__lmhash, self.__nthash = options.hashes.split(':')
Original issue reported on code.google.com by [email protected]
on 8 Apr 2014 at 2:57
If smb's unicode_convert is set to 0, a couple of "raise Except" are hit
raising NameError, as Except is undefined.
Original issue reported on code.google.com by jigermano
on 2 Feb 2011 at 9:22
What steps will reproduce the problem?
1. command:
secretsdump.py -system c:\system -security c:\security -sam c:\sam LOCAL
2. output error:
[*] _SC_TlntSvr
[!] can only concatenate tuple (not "unicode") to tuple
3.
What is the expected output?
_SC_TlntSvr
0000 61 00 64 00 6D 00 69 00 6E 00 31 00 32 00 33 00 a.d.m.i.n.1.2.3.
PS: output from creddump-0.3\lsadump.py tool.
What version of the product are you using? On what operating system?
impacket-0.9.12
Python 2.7.8 (32 bits)
windows 2008 R2 (x64)
Original issue reported on code.google.com by [email protected]
on 29 Aug 2014 at 5:17
What steps will reproduce the problem?
1. use nmb.py with polling_read instead of non_polling_read
What is the expected output? What do you see instead?
The code should perform selects until the time left drops to zero or data is
available. Instead, it waits forever or until data is available, at least in
some circumstances.
What version of the product are you using? On what operating system?
impacket-0.9.10.746 on FreeBSD 9.1
Please provide any additional information below.
The code currently looks like this:
try:
ready, _, _ = select.select([self._sock.fileno() ], [ ], [ ], 0)
print 'polling_read: time left', time_left # Added for debugging
if not ready:
if time_left == 0:
raise NetBIOSTimeout
I believe the "time_left == 0" should be changed to "time_left <= 0"
Here's output with the debug message in place:
$ ./test.py
polling_read: time left 0.5 ready: []
polling_read: time left 0.475 ready: [6]
polling_read: time left 0.5 ready: [6]
polling_read: time left 0.5 ready: []
polling_read: time left 0.475 ready: []
polling_read: time left 0.45 ready: []
polling_read: time left 0.425 ready: [6]
polling_read: time left 0.5 ready: [6]
polling_read: time left 0.5 ready: []
polling_read: time left 0.475 ready: [6]
polling_read: time left 0.5 ready: [6]
polling_read: time left 0.5 ready: []
polling_read: time left 0.475 ready: []
polling_read: time left 0.45 ready: []
polling_read: time left 0.425 ready: []
polling_read: time left 0.4 ready: []
polling_read: time left 0.375 ready: []
polling_read: time left 0.35 ready: []
polling_read: time left 0.325 ready: []
polling_read: time left 0.3 ready: []
polling_read: time left 0.275 ready: []
polling_read: time left 0.25 ready: []
polling_read: time left 0.225 ready: []
polling_read: time left 0.2 ready: []
polling_read: time left 0.175 ready: []
polling_read: time left 0.15 ready: []
polling_read: time left 0.125 ready: []
polling_read: time left 0.1 ready: []
polling_read: time left 0.075 ready: []
polling_read: time left 0.05 ready: []
polling_read: time left 0.025 ready: []
polling_read: time left -1.5959455979e-16 ready: []
polling_read: time left -0.025 ready: []
polling_read: time left -0.05 ready: []
polling_read: time left -0.075 ready: []
polling_read: time left -0.1 ready: []
polling_read: time left -0.125 ready: []
. . .
So the timer heads toward zero but due to float rounding it never hits exactly
zero. As written, the code also seems to require the timeout to be an exactly
multiple of the CHUNK_TIME (0.025).
Original issue reported on code.google.com by [email protected]
on 17 May 2013 at 7:13
Function strerror in smb.py references ERRBROWSE which is undefined.
Original issue reported on code.google.com by jigermano
on 2 Feb 2011 at 9:16
When a SessionError exception is raised, if one "prints" the exception, it
shows something like:
Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a',
'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code:
ERRnoaccess(Access denied.)
Original issue reported on code.google.com by jigermano
on 2 Feb 2011 at 8:51
The common header defined in class NTLMAuthHeader in ntlm.py is actually
exclusive to DCE/RPC, not NTLM. So if included (see r246), DCE/RPC
authentication with NTLM1 works, but SMB with NTLM1 doesn't.
Original issue reported on code.google.com by jigermano
on 2 Feb 2011 at 8:48
What steps will reproduce the problem?
1. Have a w2k with Administrator password
2. Run secrets dump against that host.
What is the expected output? What do you see instead?
To dump the target secrets.
What happens?
it does not.. and dumps the following error:
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x4accc2a5af48818b826ab78d68bbe12f
[+] Checking NoLMHash Policy
[!] RRP SessionError: code: 0x2 - ERROR_FILE_NOT_FOUND - The system
cannot find the file specified.
[*] Cleaning up...
Original issue reported on code.google.com by [email protected]
on 4 Mar 2014 at 6:47
This is actually a feature request.
While coding the smb_lookupsid module for patator (which does the same as
metasploit's auxiliary/scanner/smb/smb_lookupsid module), I came up with this
patch for impacket in order to be able to print the SID type along with the
account name (ie. SidTypeUser, SidTypeGroup, ... cf.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379601%28v=vs.85%29.as
px)
Do you think you might want to add this feature?
Original issue reported on code.google.com by [email protected]
on 23 Apr 2012 at 4:48
Attachments:
root@kali:~/impacket/impacket# smbclient -v -S required //localhost/TMP
Enter root's password:
smb_signing_good: BAD SIG: seq 1
smb_signing_good: BAD SIG: seq 3
session setup failed: NT_STATUS_ACCESS_DENIED
Since impacket 0.9.10 added support for smb signing, I hoped and expected to
see this working in smbserver.py as well. Maybe it was started and forgotten,
since hashlib was imported.
I am using svn checkout rev 1056.
Original issue reported on code.google.com by [email protected]
on 3 Jan 2014 at 7:16
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.