def fromString(self, data):
Structure.fromString(self, data)
# [MS-NLMP] page 27
# Payload data can be present in any order within the Payload field,
# with variable-length padding before or after the data
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[domain_offset:domain_end]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[host_offset:host_end]
user_offset = self['user_offset']
user_end = self['user_len'] + user_offset
self['user_name'] = data[user_offset:user_end]
ntlm_offset = self['ntlm_offset']
ntlm_end = self['ntlm_len'] + ntlm_offset
self['ntlm'] = data[ntlm_offset:ntlm_end]
lanman_offset = self['lanman_offset']
lanman_end = self['lanman_len'] + lanman_offset
self['lanman'] = data[lanman_offset:lanman_end]
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data:
self.__array = ndrutils.NDRArray(data=self['Buffer'],
itemClass=SESSION_INFO_502)
self['Buffer'] = self.__array
return
def __init__(self, username = '', password = '', challenge = '', lmhash = '', nthash = '', flags = 0):
Structure.__init__(self)
self['session_key']=''
self['user_name']=username.encode('utf-16le')
self['domain_name']='' #"CLON".encode('utf-16le')
self['host_name']='' #"BETS".encode('utf-16le')
self['flags'] = ( #authResp['flags']
# we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
# Here we do the stuff
if username and ( lmhash != '' or nthash != ''):
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(nthash, challenge)
elif (username and password):
lmhash = compute_lmhash(password)
nthash = compute_nthash(password)
self['lanman']=get_ntlmv1_response(lmhash, challenge)
self['ntlm']=get_ntlmv1_response(nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY
else:
self['lanman'] = ''
self['ntlm'] = ''
if not self['host_name']:
self['host_name'] = 'NULL'.encode('utf-16le') # for NULL session there must be a hostname
def fromString(self,data):
Structure.fromString(self,data)
# [MS-NLMP] page 27
# Payload data can be present in any order within the Payload field,
# with variable-length padding before or after the data
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[ domain_offset : domain_end ]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[ host_offset: host_end ]
user_offset = self['user_offset']
user_end = self['user_len'] + user_offset
self['user_name'] = data[ user_offset: user_end ]
ntlm_offset = self['ntlm_offset']
ntlm_end = self['ntlm_len'] + ntlm_offset
self['ntlm'] = data[ ntlm_offset : ntlm_end ]
lanman_offset = self['lanman_offset']
lanman_end = self['lanman_len'] + lanman_offset
self['lanman'] = data[ lanman_offset : lanman_end]
def __init__(self, data=None, alignment = 0):
Structure.__init__(self, data, alignment)
if data:
self.__array = ndrutils.NDRArray(data = self['Buffer'], itemClass = SHARE_INFO_1)
self['Buffer'] = self.__array
return
def __init__(self, data=None, alignment=0):
self.__ctx_items = []
Structure.__init__(self, data, alignment)
if data is None:
self['Pad'] = ''
self['ctx_items'] = ''
self['sec_trailer'] = ''
self['auth_data'] = ''
def fromString(self, data):
Structure.fromString(self, data)
# Parse the ctx_items
data = self['ctx_items']
for i in range(self['ctx_num']):
item = CtxItemResult(data)
self.__ctx_items.append(item)
data = data[len(item):]
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['cname'] = ''
self['username'] = ''
self['cltype_name'] = ''
self['transport'] = ''
return
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['cname'] = ''
self['username'] = ''
self['cltype_name'] = ''
self['transport'] = ''
return
def fromString(self, data):
Structure.fromString(self,data)
# Parse the ctx_items
data = self['ctx_items']
for i in range(self['ctx_num']):
item = CtxItemResult(data)
self.__ctx_items.append(item)
data = data[len(item):]
def __init__(self, data = None, alignment = 0):
self.__ctx_items = []
Structure.__init__(self,data,alignment)
if data is None:
self['Pad'] = ''
self['ctx_items'] = ''
self['sec_trailer'] = ''
self['auth_data'] = ''
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['max_tfrag'] = 4280
self['max_rfrag'] = 4280
self['assoc_group'] = 0
self['ctx_num'] = 1
self['ctx_items'] = ''
self.__ctx_items = []
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['max_tfrag'] = 4280
self['max_rfrag'] = 4280
self['assoc_group'] = 0
self['ctx_num'] = 1
self['ctx_items'] = ''
self.__ctx_items = []
def fromString(self,data):
Structure.fromString(self,data)
# Just in case there's more data after the TargetInfoFields
self['TargetInfoFields'] = self['TargetInfoFields'][:self['TargetInfoFields_len']]
# We gotta process the TargetInfoFields
#if self['TargetInfoFields_len'] > 0:
# av_pairs = AV_PAIRS(self['TargetInfoFields'][:self['TargetInfoFields_len']])
# self['TargetInfoFields'] = av_pairs
return self
def fromString(self, data):
Structure.fromString(self, data)
# Just in case there's more data after the TargetInfoFields
self['TargetInfoFields'] = self[
'TargetInfoFields'][:self['TargetInfoFields_len']]
# We gotta process the TargetInfoFields
#if self['TargetInfoFields_len'] > 0:
# av_pairs = AV_PAIRS(self['TargetInfoFields'][:self['TargetInfoFields_len']])
# self['TargetInfoFields'] = av_pairs
return self
def __init__(self):
Structure.__init__(self)
self['flags'] = (
NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE |
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN | NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name'] = ''
self['domain_name'] = ''
self['os_version'] = ''
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
self['sec_trailer'] = ''
self['pad'] = ''
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['ver_major'] = 5
self['ver_minor'] = 0
self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG
self['type'] = MSRPC_REQUEST
self.__frag_len_set = 0
self['auth_len'] = 0
self['pduData'] = ''
self['auth_data'] = ''
self['sec_trailer'] = ''
self['pad'] = ''
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self,data)
def __init__(self, version, revision, pageSize=8192, data=None):
if (version < 0x620) or (version == 0x620 and revision < 0x0b):
# For sure the old format
self.structure = self.structure_2003_SP0 + self.common
elif version == 0x620 and revision < 0x11:
# Exchange 2003 SP1 and Windows Vista and later
self.structure = self.structure_0x620_0x0b + self.common
else:
# Windows 7 and later
self.structure = self.structure_win7 + self.common
if pageSize > 8192:
self.structure += self.extended_win7
Structure.__init__(self, data)
def fromString(self, data):
Structure.fromString(self, data)
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[domain_offset:domain_end]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[host_offset:host_end]
hasOsInfo = self['flags'] & NTLMSSP_VERSION
if len(data) >= 36 and hasOsInfo:
self['os_version'] = data[32:40]
else:
self['os_version'] = ''
def __init__(self):
Structure.__init__(self)
self['flags']= (
NTLMSSP_KEY_128 |
NTLMSSP_KEY_EXCHANGE|
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY |
NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN |
NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
self['host_name']=''
self['domain_name']=''
self['os_version']=''
def fromString(self,data):
Structure.fromString(self,data)
domain_offset = self['domain_offset']
domain_end = self['domain_len'] + domain_offset
self['domain_name'] = data[ domain_offset : domain_end ]
host_offset = self['host_offset']
host_end = self['host_len'] + host_offset
self['host_name'] = data[ host_offset : host_end ]
hasOsInfo = self['flags'] & NTLMSSP_VERSION
if len(data) >= 36 and hasOsInfo:
self['os_version'] = data[32:40]
else:
self['os_version'] = ''
def getData(self):
self['domain_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])
self['user_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])+len(self['domain_name'])
self['host_offset']=self['user_offset']+len(self['user_name'])
self['lanman_offset']=self['host_offset']+len(self['host_name'])
self['ntlm_offset']=self['lanman_offset']+len(self['lanman'])
self['session_key_offset']=self['ntlm_offset']+len(self['ntlm'])
return Structure.getData(self)
def getData(self):
self['domain_offset'] = 64 + self.checkMIC(
self["flags"]) + self.checkVersion(self["flags"])
self['user_offset'] = 64 + self.checkMIC(
self["flags"]) + self.checkVersion(self["flags"]) + len(
self['domain_name'])
self['host_offset'] = self['user_offset'] + len(self['user_name'])
self['lanman_offset'] = self['host_offset'] + len(self['host_name'])
self['ntlm_offset'] = self['lanman_offset'] + len(self['lanman'])
self['session_key_offset'] = self['ntlm_offset'] + len(self['ntlm'])
return Structure.getData(self)
def __init__(self,
username='',
password='',
challenge='',
lmhash='',
nthash='',
flags=0):
Structure.__init__(self)
self['session_key'] = ''
self['user_name'] = username.encode('utf-16le')
self['domain_name'] = '' #"CLON".encode('utf-16le')
self['host_name'] = '' #"BETS".encode('utf-16le')
self['flags'] = ( #authResp['flags']
# we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers
NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE |
# NTLMSSP_LM_KEY |
NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE |
# NTLMSSP_ALWAYS_SIGN |
NTLMSSP_SIGN | NTLMSSP_SEAL |
# NTLMSSP_TARGET |
0)
# Here we do the stuff
if username and (lmhash != '' or nthash != ''):
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(nthash, challenge)
elif (username and password):
lmhash = compute_lmhash(password)
nthash = compute_nthash(password)
self['lanman'] = get_ntlmv1_response(lmhash, challenge)
self['ntlm'] = get_ntlmv1_response(
nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY
else:
self['lanman'] = ''
self['ntlm'] = ''
if not self['host_name']:
self['host_name'] = 'NULL'.encode(
'utf-16le') # for NULL session there must be a hostname
def __init__(self, data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
LOG.error('CallBack types not supported!')
raise
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self, data)
self.structure += self.common
Structure.__init__(self, data)
def __init__(self,data):
# Depending on the type of data we'll end up building a different struct
dataType = unpack('<H', data[4:][:2])[0]
self.structure = self.fixed
if dataType == CATALOG_TYPE_TABLE:
self.structure += self.other + self.table_stuff
elif dataType == CATALOG_TYPE_COLUMN:
self.structure += self.column_stuff
elif dataType == CATALOG_TYPE_INDEX:
self.structure += self.other + self.index_stuff
elif dataType == CATALOG_TYPE_LONG_VALUE:
self.structure += self.other + self.lv_stuff
elif dataType == CATALOG_TYPE_CALLBACK:
LOG.error('CallBack types not supported!')
raise
else:
LOG.error('Unknown catalog type 0x%x' % dataType)
self.structure = ()
Structure.__init__(self,data)
self.structure += self.common
Structure.__init__(self,data)
def getData(self):
if len(self.fields['host_name']) > 0:
self['flags'] |= NTLMSSP_WORKSTATION
if len(self.fields['domain_name']) > 0:
self['flags'] |= NTLMSSP_DOMAIN
if len(self.fields['os_version']) > 0:
self['flags'] |= NTLMSSP_VERSION
if (self['flags'] & NTLMSSP_VERSION) == NTLMSSP_VERSION:
version_len = 8
else:
version_len = 0
if (self['flags'] & NTLMSSP_WORKSTATION) == NTLMSSP_WORKSTATION:
self['host_offset'] = 32 + version_len
if (self['flags'] & NTLMSSP_DOMAIN) == NTLMSSP_DOMAIN:
self['domain_offset'] = 32 + len(self['host_name']) + version_len
return Structure.getData(self)
def getData(self):
if len(self.fields['host_name']) > 0:
self['flags'] |= NTLMSSP_WORKSTATION
if len(self.fields['domain_name']) > 0:
self['flags'] |= NTLMSSP_DOMAIN
if len(self.fields['os_version']) > 0:
self['flags'] |= NTLMSSP_VERSION
if (self['flags'] & NTLMSSP_VERSION) == NTLMSSP_VERSION:
version_len = 8
else:
version_len = 0
if (self['flags'] & NTLMSSP_WORKSTATION) == NTLMSSP_WORKSTATION:
self['host_offset']=32 + version_len
if (self['flags'] & NTLMSSP_DOMAIN) == NTLMSSP_DOMAIN:
self['domain_offset']=32+len(self['host_name']) + version_len
return Structure.getData(self)
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['netname'] = ''
self['remark'] = ''
return
def __init__(self, flags=0, **kargs):
if flags & NTLMSSP_NTLM2_KEY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def __init__(self, data = None):
Structure.__init__(self,data)
if data is None:
self['TreeID'] = 0
def __init__(self, flags = 0, **kargs):
if flags & NTLMSSP_NTLM2_KEY:
self.structure = self.extendedMessageSignature
else:
self.structure = self.MessageSignature
return Structure.__init__(self, **kargs)
def getData(self):
#self['AlignPad'] = '\x00' * ((8 - ((24 + SMB2_PACKET_SIZE) & 7)) & 7)
#self['SecurityBufferOffset'] = 24 + SMB2_PACKET_SIZE +len(self['AlignPad'])
#self['SecurityBufferLength'] += len(self['AlignPad'])
return Structure.getData(self)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self, data, alignment)
if data is None:
self['netname'] = ''
self['remark'] = ''
return
def __init__(self, flags, data=None):
if flags & TAG_COMMON > 0:
# Include the common header
self.structure = self.common + self.structure
Structure.__init__(self,data)
def getData(self):
self['ctx_num'] = len(self.__ctx_items)
for i in self.__ctx_items:
self['ctx_items'] += i.getData()
return Structure.getData(self)
def getData(self):
self['ctx_num'] = len(self.__ctx_items)
for i in self.__ctx_items:
self['ctx_items'] += i.getData()
return Structure.getData(self)
def __init__(self, flags, data=None):
if flags & TAG_COMMON > 0:
# Include the common header
self.structure = self.common + self.structure
Structure.__init__(self, data)
def __init__(self, data = None):
Structure.__init__(self,data)
if data is None:
self['AlignPad'] = ''
def getData(self):
if self['TargetInfoFields'] is not None and type(self['TargetInfoFields']) is not str:
raw_av_fields = self['TargetInfoFields'].getData()
self['TargetInfoFields'] = raw_av_fields
return Structure.getData(self)
def __init__(self, data = None, alignment = 0):
Structure.__init__(self,data,alignment)
if data is None:
self['SupportedVersions'] = ''
def getData(self):
if self['TargetInfoFields'] is not None and type(
self['TargetInfoFields']) is not str:
raw_av_fields = self['TargetInfoFields'].getData()
self['TargetInfoFields'] = raw_av_fields
return Structure.getData(self)
def getData(self):
self['pResumeHandler'] = '\xbc\x9a\x00\x00\x00\x00\x00\x00'
return Structure.getData(self)
def __init__(self, data=None, alignment=0):
Structure.__init__(self, data, alignment)
if data is None:
self['SupportedVersions'] = ''
def getData(self):
self['pResumeHandler'] = '\xbc\x9a\x00\x00\x00\x00\x00\x00'
return Structure.getData(self)
