/* Unix SMB/CIFS implementation. RPC pipe client Copyright (C) Guenther Deschner 2008 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ #include "includes.h" #include "rpcclient.h" #include "../librpc/gen_ndr/ndr_drsuapi_c.h" static WERROR cracknames(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, struct policy_handle *bind_handle, enum drsuapi_DsNameFormat format_offered, enum drsuapi_DsNameFormat format_desired, int argc, const char **argv, union drsuapi_DsNameCtr *ctr) { NTSTATUS status; WERROR werr; int i; uint32_t level = 1; union drsuapi_DsNameRequest req; uint32_t level_out; struct drsuapi_DsNameString *names; struct dcerpc_binding_handle *b = cli->binding_handle; names = talloc_zero_array(mem_ctx, struct drsuapi_DsNameString, argc); W_ERROR_HAVE_NO_MEMORY(names); for (i=0; ibinding_handle; union drsuapi_DsNameCtr ctr; if (argc < 2) { printf("usage: %s name\n", argv[0]); return WERR_OK; } GUID_from_string(DRSUAPI_DS_BIND_GUID, &bind_guid); status = dcerpc_drsuapi_DsBind(b, mem_ctx, &bind_guid, NULL, &bind_handle, &werr); if (!NT_STATUS_IS_OK(status)) { return ntstatus_to_werror(status); } if (!W_ERROR_IS_OK(werr)) { return werr; } werr = cracknames(cli, mem_ctx, &bind_handle, DRSUAPI_DS_NAME_FORMAT_UNKNOWN, DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 1, argv+1, &ctr); if (!W_ERROR_IS_OK(werr)) { goto out; } for (i=0; i < ctr.ctr1->count; i++) { printf("status: %d\n", ctr.ctr1->array[i].status); printf("dns_domain_name: %s\n", ctr.ctr1->array[i].dns_domain_name); printf("result_name: %s\n", ctr.ctr1->array[i].result_name); } out: if (is_valid_policy_hnd(&bind_handle)) { WERROR _werr; dcerpc_drsuapi_DsUnbind(b, mem_ctx, &bind_handle, &_werr); } return werr; } static void display_domain_controller_info_01(struct drsuapi_DsGetDCConnection01 *r) { printf("client_ip_address:\t%s\n", r->client_ip_address); printf("unknown2:\t%d\n", r->unknown2); printf("connection_time:\t%d\n", r->connection_time); printf("unknown4:\t%d\n", r->unknown4); printf("unknown5:\t%d\n", r->unknown5); printf("unknown6:\t%d\n", r->unknown6); printf("client_account:\t%s\n", r->client_account); } static void display_domain_controller_info_1(struct drsuapi_DsGetDCInfo1 *r) { printf("netbios_name:\t%s\n", r->netbios_name); printf("dns_name:\t%s\n", r->dns_name); printf("site_name:\t%s\n", r->site_name); printf("computer_dn:\t%s\n", r->computer_dn); printf("server_dn:\t%s\n", r->server_dn); printf("is_pdc:\t\t%s\n", r->is_pdc ? "true" : "false"); printf("is_enabled:\t%s\n", r->is_enabled ? "true" : "false"); } static void display_domain_controller_info_2(struct drsuapi_DsGetDCInfo2 *r) { printf("netbios_name:\t%s\n", r->netbios_name); printf("dns_name:\t%s\n", r->dns_name); printf("site_name:\t%s\n", r->site_name); printf("site_dn:\t%s\n", r->site_dn); printf("computer_dn:\t%s\n", r->computer_dn); printf("server_dn:\t%s\n", r->server_dn); printf("ntds_dn:\t%s\n", r->ntds_dn); printf("is_pdc:\t\t%s\n", r->is_pdc ? "true" : "false"); printf("is_enabled:\t%s\n", r->is_enabled ? "true" : "false"); printf("is_gc:\t\t%s\n", r->is_gc ? "true" : "false"); printf("site_guid:\t%s\n", GUID_string(talloc_tos(), &r->site_guid)); printf("computer_guid:\t%s\n", GUID_string(talloc_tos(), &r->computer_guid)); printf("server_guid:\t%s\n", GUID_string(talloc_tos(), &r->server_guid)); printf("ntds_guid:\t%s\n", GUID_string(talloc_tos(), &r->ntds_guid)); } static void display_domain_controller_info_3(struct drsuapi_DsGetDCInfo3 *r) { printf("netbios_name:\t%s\n", r->netbios_name); printf("dns_name:\t%s\n", r->dns_name); printf("site_name:\t%s\n", r->site_name); printf("site_dn:\t%s\n", r->site_dn); printf("computer_dn:\t%s\n", r->computer_dn); printf("server_dn:\t%s\n", r->server_dn); printf("ntds_dn:\t%s\n", r->ntds_dn); printf("is_pdc:\t\t%s\n", r->is_pdc ? "true" : "false"); printf("is_enabled:\t%s\n", r->is_enabled ? "true" : "false"); printf("is_gc:\t\t%s\n", r->is_gc ? "true" : "false"); printf("is_rodc:\t%s\n", r->is_rodc ? "true" : "false"); printf("site_guid:\t%s\n", GUID_string(talloc_tos(), &r->site_guid)); printf("computer_guid:\t%s\n", GUID_string(talloc_tos(), &r->computer_guid)); printf("server_guid:\t%s\n", GUID_string(talloc_tos(), &r->server_guid)); printf("ntds_guid:\t%s\n", GUID_string(talloc_tos(), &r->ntds_guid)); } static void display_domain_controller_info(int32_t level, union drsuapi_DsGetDCInfoCtr *ctr) { int i; switch (level) { case DRSUAPI_DC_CONNECTION_CTR_01: for (i=0; ictr01.count; i++) { printf("----------\n"); display_domain_controller_info_01(&ctr->ctr01.array[i]); } break; case DRSUAPI_DC_INFO_CTR_1: for (i=0; ictr1.count; i++) { printf("----------\n"); display_domain_controller_info_1(&ctr->ctr1.array[i]); } break; case DRSUAPI_DC_INFO_CTR_2: for (i=0; ictr2.count; i++) { printf("----------\n"); display_domain_controller_info_2(&ctr->ctr2.array[i]); } break; case DRSUAPI_DC_INFO_CTR_3: for (i=0; ictr3.count; i++) { printf("----------\n"); display_domain_controller_info_3(&ctr->ctr3.array[i]); } break; default: break; } } static WERROR cmd_drsuapi_getdcinfo(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status; WERROR werr; struct GUID bind_guid; struct policy_handle bind_handle; struct dcerpc_binding_handle *b = cli->binding_handle; const char *domain = NULL; int32_t level = 1; int32_t level_out; union drsuapi_DsGetDCInfoRequest req; union drsuapi_DsGetDCInfoCtr ctr; if (argc < 2) { printf("usage: %s domain [level]\n", argv[0]); return WERR_OK; } domain = argv[1]; if (argc >= 3) { level = atoi(argv[2]); } GUID_from_string(DRSUAPI_DS_BIND_GUID, &bind_guid); status = dcerpc_drsuapi_DsBind(b, mem_ctx, &bind_guid, NULL, &bind_handle, &werr); if (!NT_STATUS_IS_OK(status)) { return ntstatus_to_werror(status); } if (!W_ERROR_IS_OK(werr)) { return werr; } req.req1.domain_name = domain; req.req1.level = level; status = dcerpc_drsuapi_DsGetDomainControllerInfo(b, mem_ctx, &bind_handle, 1, &req, &level_out, &ctr, &werr); if (!NT_STATUS_IS_OK(status)) { werr = ntstatus_to_werror(status); goto out; } if (!W_ERROR_IS_OK(werr)) { goto out; } display_domain_controller_info(level_out, &ctr); out: if (is_valid_policy_hnd(&bind_handle)) { WERROR _werr; dcerpc_drsuapi_DsUnbind(b, mem_ctx, &bind_handle, &_werr); } return werr; } static WERROR cmd_drsuapi_writeaccountspn(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { NTSTATUS status; WERROR werr; struct GUID bind_guid; struct policy_handle bind_handle; struct dcerpc_binding_handle *b = cli->binding_handle; struct drsuapi_DsNameString *spn_names = NULL; int i = 0; uint32_t level_out; union drsuapi_DsWriteAccountSpnRequest req; union drsuapi_DsWriteAccountSpnResult result; if (argc < 4) { printf("usage: %s [add|replace|delete] dn [spn_names]+\n", argv[0]); return WERR_OK; } req.req1.unknown1 = 0; /* Unused, must be 0 */ req.req1.object_dn = argv[2]; req.req1.count = argc - 3; if (strcmp(argv[1], "add") == 0) { req.req1.operation = DRSUAPI_DS_SPN_OPERATION_ADD; } else if (strcmp(argv[1], "replace") == 0) { req.req1.operation = DRSUAPI_DS_SPN_OPERATION_REPLACE; } else if (strcmp(argv[1], "delete") == 0) { req.req1.operation = DRSUAPI_DS_SPN_OPERATION_DELETE; } else { printf("usage: %s [add|replace|delete] dn [spn_names]+\n", argv[0]); return WERR_OK; } spn_names = talloc_zero_array(mem_ctx, struct drsuapi_DsNameString, req.req1.count); W_ERROR_HAVE_NO_MEMORY(spn_names); for (i=0; ibinding_handle; struct GUID bind_guid; struct drsuapi_DsBindInfoCtr bind_info; struct drsuapi_DsBindInfo28 info28; const char *nc_dn = NULL; DATA_BLOB session_key; uint32_t level = 8; bool single = false; uint32_t level_out = 0; union drsuapi_DsGetNCChangesRequest req; union drsuapi_DsGetNCChangesCtr ctr; struct drsuapi_DsReplicaObjectIdentifier nc; struct drsuapi_DsGetNCChangesCtr1 *ctr1 = NULL; struct drsuapi_DsGetNCChangesCtr6 *ctr6 = NULL; uint32_t out_level = 0; int y; uint32_t supported_extensions = 0; uint32_t replica_flags = DRSUAPI_DRS_WRIT_REP | DRSUAPI_DRS_INIT_SYNC | DRSUAPI_DRS_PER_SYNC | DRSUAPI_DRS_GET_ANC | DRSUAPI_DRS_NEVER_SYNCED; if (argc > 3) { printf("usage: %s [naming_context_or_object_dn [single]]\n", argv[0]); return WERR_OK; } if (argc >= 2) { nc_dn = argv[1]; } if (argc == 3) { if (strequal(argv[2], "single")) { single = true; } else { printf("warning: ignoring unknown argument '%s'\n", argv[2]); } } ZERO_STRUCT(info28); ZERO_STRUCT(req); GUID_from_string(DRSUAPI_DS_BIND_GUID, &bind_guid); info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_BASE; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_KCC_EXECUTE; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRY_V2; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_LINKED_VALUE_REPLICATION; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V2; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_INSTANCE_TYPE_NOT_REQ_ON_MOD; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_CRYPTO_BIND; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_REPL_INFO; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_STRONG_ENCRYPTION; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V01; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_TRANSITIVE_MEMBERSHIP; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADD_SID_HISTORY; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_POST_BETA3; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GET_MEMBERSHIPS2; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V6; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_NONDOMAIN_NCS; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V5; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V6; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_ADDENTRYREPLY_V3; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_GETCHGREPLY_V7; info28.supported_extensions |= DRSUAPI_SUPPORTED_EXTENSION_VERIFY_OBJECT; info28.site_guid = GUID_zero(); info28.pid = 0; info28.repl_epoch = 0; bind_info.length = 28; bind_info.info.info28 = info28; status = dcerpc_drsuapi_DsBind(b, mem_ctx, &bind_guid, &bind_info, &bind_handle, &werr); if (!NT_STATUS_IS_OK(status)) { return ntstatus_to_werror(status); } if (!W_ERROR_IS_OK(werr)) { return werr; } if (bind_info.length == 24) { supported_extensions = bind_info.info.info24.supported_extensions; } else if (bind_info.length == 28) { supported_extensions = bind_info.info.info28.supported_extensions; } else if (bind_info.length == 32) { supported_extensions = bind_info.info.info32.supported_extensions; } else if (bind_info.length == 48) { supported_extensions = bind_info.info.info48.supported_extensions; } else if (bind_info.length == 52) { supported_extensions = bind_info.info.info52.supported_extensions; } if (!nc_dn) { union drsuapi_DsNameCtr crack_ctr; const char *name; name = talloc_asprintf(mem_ctx, "%s\\", lp_workgroup()); W_ERROR_HAVE_NO_MEMORY(name); werr = cracknames(cli, mem_ctx, &bind_handle, DRSUAPI_DS_NAME_FORMAT_UNKNOWN, DRSUAPI_DS_NAME_FORMAT_FQDN_1779, 1, &name, &crack_ctr); if (!W_ERROR_IS_OK(werr)) { return werr; } if (crack_ctr.ctr1->count != 1) { return WERR_NO_SUCH_DOMAIN; } if (crack_ctr.ctr1->array[0].status != DRSUAPI_DS_NAME_STATUS_OK) { return WERR_NO_SUCH_DOMAIN; } nc_dn = talloc_strdup(mem_ctx, crack_ctr.ctr1->array[0].result_name); W_ERROR_HAVE_NO_MEMORY(nc_dn); printf("using: %s\n", nc_dn); } nc.dn = nc_dn; nc.guid = GUID_zero(); nc.sid = (struct dom_sid) {0}; if (supported_extensions & DRSUAPI_SUPPORTED_EXTENSION_GETCHGREQ_V8) { level = 8; req.req8.naming_context = &nc; req.req8.replica_flags = replica_flags; req.req8.max_object_count = 402; req.req8.max_ndr_size = 402116; if (single) { req.req8.extended_op = DRSUAPI_EXOP_REPL_OBJ; } } else { level = 5; req.req5.naming_context = &nc; req.req5.replica_flags = replica_flags; req.req5.max_object_count = 402; req.req5.max_ndr_size = 402116; if (single) { req.req5.extended_op = DRSUAPI_EXOP_REPL_OBJ; } } status = dcerpc_binding_handle_auth_session_key( b, mem_ctx, &session_key); if (!NT_STATUS_IS_OK(status)) { printf("Failed to get Session Key: %s", nt_errstr(status)); return ntstatus_to_werror(status); } for (y=0; ;y++) { if (level == 8) { DEBUG(1,("start[%d] tmp_higest_usn: %llu , highest_usn: %llu\n",y, (long long)req.req8.highwatermark.tmp_highest_usn, (long long)req.req8.highwatermark.highest_usn)); } status = dcerpc_drsuapi_DsGetNCChanges(b, mem_ctx, &bind_handle, level, &req, &level_out, &ctr, &werr); if (!NT_STATUS_IS_OK(status)) { werr = ntstatus_to_werror(status); printf("Failed to get NC Changes: %s", get_friendly_nt_error_msg(status)); goto out; } if (!W_ERROR_IS_OK(werr)) { printf("Failed to get NC Changes: %s", get_friendly_werror_msg(werr)); goto out; } if (level_out == 1) { out_level = 1; ctr1 = &ctr.ctr1; } else if (level_out == 2 && ctr.ctr2.mszip1.ts) { out_level = 1; ctr1 = &ctr.ctr2.mszip1.ts->ctr1; } if (out_level == 1) { DEBUG(1,("end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",y, (long long)ctr1->new_highwatermark.tmp_highest_usn, (long long)ctr1->new_highwatermark.highest_usn)); #if 0 libnet_dssync_decrypt_attributes(mem_ctx, &session_key, ctr1->first_object); #endif if (ctr1->more_data) { req.req5.highwatermark = ctr1->new_highwatermark; continue; } } if (level_out == 6) { out_level = 6; ctr6 = &ctr.ctr6; } else if (level_out == 7 && ctr.ctr7.level == 6 && ctr.ctr7.type == DRSUAPI_COMPRESSION_TYPE_MSZIP && ctr.ctr7.ctr.mszip6.ts) { out_level = 6; ctr6 = &ctr.ctr7.ctr.mszip6.ts->ctr6; } else if (level_out == 7 && ctr.ctr7.level == 6 && ctr.ctr7.type == DRSUAPI_COMPRESSION_TYPE_WIN2K3_LZ77_DIRECT2 && ctr.ctr7.ctr.xpress6.ts) { out_level = 6; ctr6 = &ctr.ctr7.ctr.xpress6.ts->ctr6; } if (out_level == 6) { DEBUG(1,("end[%d] tmp_highest_usn: %llu , highest_usn: %llu\n",y, (long long)ctr6->new_highwatermark.tmp_highest_usn, (long long)ctr6->new_highwatermark.highest_usn)); #if 0 libnet_dssync_decrypt_attributes(mem_ctx, &session_key, ctr6->first_object); #endif if (ctr6->more_data) { req.req8.highwatermark = ctr6->new_highwatermark; continue; } } break; } out: return werr; } /* List of commands exported by this module */ struct cmd_set drsuapi_commands[] = { { .name = "DRSUAPI", }, { .name = "dscracknames", .returntype = RPC_RTYPE_WERROR, .ntfn = NULL, .wfn = cmd_drsuapi_cracknames, .table = &ndr_table_drsuapi, .rpc_pipe = NULL, .description = "Crack Name", .usage = "", }, { .name = "dsgetdcinfo", .returntype = RPC_RTYPE_WERROR, .ntfn = NULL, .wfn = cmd_drsuapi_getdcinfo, .table = &ndr_table_drsuapi, .rpc_pipe = NULL, .description = "Get Domain Controller Info", .usage = "", }, { .name = "dsgetncchanges", .returntype = RPC_RTYPE_WERROR, .ntfn = NULL, .wfn = cmd_drsuapi_getncchanges, .table = &ndr_table_drsuapi, .rpc_pipe = NULL, .description = "Get NC Changes", .usage = "", }, { .name = "dswriteaccountspn", .returntype = RPC_RTYPE_WERROR, .ntfn = NULL, .wfn = cmd_drsuapi_writeaccountspn, .table = &ndr_table_drsuapi, .rpc_pipe = NULL, .description = "Write Account SPN", .usage = "", }, { .name = NULL, }, };