samrdump bug and dirty fix

[m-1-k-3]

Hey guys,

the included samrdump.py script crashes in some cases:

Code:

root@bt:~# /pentest/python/impacket-examples/samrdump.py 10.8.28.240
Retrieving endpoint list from 10.8.28.240
Trying protocol 445/SMB...
Found domain(s):
 . WIN2K-ENG-SP0
 . Builtin
Looking up users in domain WIN2K-ENG-SP0
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: IUSR_WIN2K-ENG, uid = 1001
Found user: IWAM_WIN2K-ENG, uid = 1002
Found user: TsInternetUser, uid = 1000
Administrator (500)/Enabled: true
Administrator (500)/Kickoff: Wed, 16 Dec 2009 11:39:20
Administrator (500)/PWD Can Change: Wed, 16 Dec 2009 11:39:20
Administrator (500)/PWD Must Change: Infinity
Administrator (500)/Group id: 513
Administrator (500)/Bad pwd count: 0
Administrator (500)/Logon count: 4
Administrator (500)/Profile:
Administrator (500)/Comment:
Administrator (500)/Logon hours: Unlimited
Administrator (500)/Workstations:
Administrator (500)/Description: Built-in account for administering the computer/domain
Administrator (500)/Parameters:
Administrator (500)/Script:
Administrator (500)/Home Drive:
Administrator (500)/Account Name: Administrator
Administrator (500)/Home:
Administrator (500)/Full Name:
Guest (501)/Enabled: false
Guest (501)/Kickoff:
Traceback (most recent call last):
  File "/pentest/python/impacket-examples/samrdump.py", line 182, in <module>
    dumper.dump(address)
  File "/pentest/python/impacket-examples/samrdump.py", line 83, in dump
    print base + '/Kickoff:', user.get_kickoff_time()
  File "/var/lib/python-support/python2.5/impacket/dcerpc/samr.py", line 134, in get_kickoff_time
    return display_time(self._kickoff_time_high, self._kickoff_time_low)
  File "/var/lib/python-support/python2.5/impacket/dcerpc/samr.py", line 35, in display_time
    r = (strftime("%a, %d %b %Y %H:%M:%S",gmtime(d)), minutes_utc/60)[0]
ValueError: timestamp out of range for platform time_t

A small and dirty fix is the following:

Code:

"/var/lib/python-support/python2.5/impacket/dcerpc/samr.py"
 27 def display_time(filetime_high, filetime_low, minutes_utc=0):
 28     d = filetime_high*4.0*1.0*(1<<30)
 29     d += filetime_low
 30     d *= 1.0e-7
 31     d -= (369.0*365.25*24*60*60-(3.0*24*60*60+6.0*60*60))
 32     if minutes_utc == 0:
 33         try:    #dirty fix
 34                 r = (strftime("%a, %d %b %Y %H:%M:%S",gmtime(d)), minutes_utc/60)[0]
 35         except: #dirty fix
 36                 r = 0   #dirty fix
 37     else:
 38         try:    #dirty fix
 39                 r = "%s GMT %d " % (strftime("%a, %d %b %Y %H:%M:%S",gmtime(d)), minutes_utc/60)
 40         except: #dirty fix
 41                 r = 0   #dirty fix
 42     return r

fixing the date from a negative value to 0 helps to complete the script and get all the other details.

if there is a connection error a huge traceback arises on your screen ... if you would like to control it you can use a new variable, called "debug" (line 26 and 70)

Code:

 25
 26 debug = 0       #new debug variable for traceback controlling
 27

...
 68             except Exception, e:
 69                 print 'Protocol failed: %s' % e
 70                 if debug == 1:
 71                         raise

Set it to 1 will arise the traceback, otherwise no traceback will get printed on the screen.

And last I think it is quite cool to scan more IPs than one at a time (load a file with IP addresses). For this I have added the following code:

Code:

21a22
> import os

166a175
>       print "address could also be a file with one IP per line"
177d185
<     dumper.dump(address)
178a187,192
>     if os.path.isfile(address):
>       addressfile = open(address, "r")
>       for address in addressfile.readlines():
>               dumper.dump(address)
>     else:
>       dumper.dump(address)

The complete, modified files are located here: http://www.s3cur1ty.de/fixing-samrdump_py

m-1-k-3