Ejemplo n.º 1
0
	def from_buffer(buff):
		t = NTLMChallenge()
		t.Signature         = buff.read(8)
		t.MessageType       = int.from_bytes(buff.read(4), byteorder = 'little', signed = False)
		t.TargetNameFields  = Fields.from_buffer(buff)
		t.NegotiateFlags    = NegotiateFlags(int.from_bytes(buff.read(4), byteorder = 'little', signed = False))
		t.ServerChallenge   = buff.read(8)
		t.Reserved          = buff.read(8)
		t.TargetInfoFields  = Fields.from_buffer(buff)
		
		if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION: 
			t.Version = Version.from_buffer(buff)
			
		currPos = buff.tell()
		t.Payload = buff.read()
			
		if t.TargetNameFields.length != 0:
			buff.seek(t.TargetNameFields.offset, io.SEEK_SET)
			raw_data = buff.read(t.TargetNameFields.length)
			try:
				t.TargetName = raw_data.decode('utf-16le')
			except UnicodeDecodeError:
				# yet another cool bug. 
				t.TargetName = raw_data.decode('utf-8')
				
		if t.TargetInfoFields.length != 0:
			buff.seek(t.TargetInfoFields.offset, io.SEEK_SET)
			raw_data = buff.read(t.TargetInfoFields.length)
			t.TargetInfo = AVPairs.from_bytes(raw_data)
			
		
		
		return t
Ejemplo n.º 2
0
def test_construct():
    flags = NegotiateFlags.NEGOTIATE_56|NegotiateFlags.NEGOTIATE_KEY_EXCH|NegotiateFlags.NEGOTIATE_128|\
      NegotiateFlags.NEGOTIATE_VERSION|\
      NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY|\
      NegotiateFlags.NEGOTIATE_ALWAYS_SIGN|NegotiateFlags.NEGOTIATE_NTLM|NegotiateFlags.NEGOTIATE_LM_KEY|\
      NegotiateFlags.NEGOTIATE_SIGN|NegotiateFlags.REQUEST_TARGET|NegotiateFlags.NTLM_NEGOTIATE_OEM|NegotiateFlags.NEGOTIATE_UNICODE|\
      NegotiateFlags.NEGOTIATE_OEM_WORKSTATION_SUPPLIED|NegotiateFlags.NEGOTIATE_OEM_DOMAIN_SUPPLIED
    nego = NTLMNegotiate.construct(flags,
                                   domainname="alma.com",
                                   workstationname="testjoe",
                                   version=Version.construct())
    nego.to_bytes()
    print(repr(nego))

    test_reconstrut(nego.to_bytes())

    flags = NegotiateFlags.NEGOTIATE_56|NegotiateFlags.NEGOTIATE_KEY_EXCH|NegotiateFlags.NEGOTIATE_128|\
      NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY|\
      NegotiateFlags.NEGOTIATE_ALWAYS_SIGN|NegotiateFlags.NEGOTIATE_NTLM|NegotiateFlags.NEGOTIATE_LM_KEY|\
      NegotiateFlags.NEGOTIATE_SIGN|NegotiateFlags.REQUEST_TARGET|NegotiateFlags.NTLM_NEGOTIATE_OEM|NegotiateFlags.NEGOTIATE_UNICODE|\
      NegotiateFlags.NEGOTIATE_OEM_WORKSTATION_SUPPLIED|NegotiateFlags.NEGOTIATE_OEM_DOMAIN_SUPPLIED
    nego = NTLMNegotiate.construct(flags,
                                   domainname="alma.com",
                                   workstationname="testjoe2")
    print(nego.to_bytes())
    print(repr(nego))

    test_reconstrut(nego.to_bytes())
Ejemplo n.º 3
0
    def from_buffer(buff, _use_NTLMv2=True):
        auth = NTLMAuthenticate(_use_NTLMv2)
        auth.Signature = buff.read(8)
        auth.MessageType = int.from_bytes(buff.read(4),
                                          byteorder='little',
                                          signed=False)
        auth.LmChallengeResponseFields = Fields.from_buffer(buff)
        auth.NtChallengeResponseFields = Fields.from_buffer(buff)
        auth.DomainNameFields = Fields.from_buffer(buff)
        auth.UserNameFields = Fields.from_buffer(buff)
        auth.WorkstationFields = Fields.from_buffer(buff)
        auth.EncryptedRandomSessionKeyFields = Fields.from_buffer(buff)
        auth.NegotiateFlags = NegotiateFlags(
            int.from_bytes(buff.read(4), byteorder='little', signed=False))
        if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
            auth.Version = Version.from_buffer(buff)

        # TODO: I'm not sure about this condition!!! Need to test this!
        if auth.NegotiateFlags & NegotiateFlags.NEGOTIATE_ALWAYS_SIGN:
            auth.MIC = buff.read(16)

        currPos = buff.tell()
        auth.Payload = buff.read()

        if auth._use_NTLMv2 and auth.NtChallengeResponseFields.length > 24:
            buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
            auth.LMChallenge = LMv2Response.from_buffer(buff)

            buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
            auth.NTChallenge = NTLMv2Response.from_buffer(buff)

        else:
            buff.seek(auth.LmChallengeResponseFields.offset, io.SEEK_SET)
            auth.LMChallenge = LMResponse.from_buffer(buff)

            buff.seek(auth.NtChallengeResponseFields.offset, io.SEEK_SET)
            auth.NTChallenge = NTLMv1Response.from_buffer(buff)

        buff.seek(auth.DomainNameFields.offset, io.SEEK_SET)
        auth.DomainName = buff.read(
            auth.DomainNameFields.length).decode('utf-16le')

        buff.seek(auth.UserNameFields.offset, io.SEEK_SET)
        auth.UserName = buff.read(
            auth.UserNameFields.length).decode('utf-16le')

        buff.seek(auth.WorkstationFields.offset, io.SEEK_SET)
        auth.Workstation = buff.read(
            auth.WorkstationFields.length).decode('utf-16le')

        buff.seek(auth.EncryptedRandomSessionKeyFields.offset, io.SEEK_SET)
        auth.EncryptedRandomSession = buff.read(
            auth.EncryptedRandomSessionKeyFields.length)

        buff.seek(currPos, io.SEEK_SET)

        return auth
Ejemplo n.º 4
0
    def from_buffer(buff):
        t = NTLMNegotiate()
        t.Signature = buff.read(8)
        t.MessageType = int.from_bytes(buff.read(4),
                                       byteorder='little',
                                       signed=False)
        t.NegotiateFlags = NegotiateFlags(
            int.from_bytes(buff.read(4), byteorder='little', signed=False))
        t.DomainNameFields = Fields.from_buffer(buff)
        t.WorkstationFields = Fields.from_buffer(buff)

        if t.NegotiateFlags & NegotiateFlags.NEGOTIATE_VERSION:
            t.Version = Version.from_buffer(buff)

        currPos = buff.tell()
        t.Payload = buff.read()

        #currPos = buff.tell()

        if t.DomainNameFields.length != 0:
            buff.seek(t.DomainNameFields.offset, io.SEEK_SET)
            raw_data = buff.read(t.WorkstationFields.length)
            print(raw_data)
            print(t.DomainNameFields.length)
            try:
                t.Domain = raw_data.decode('utf-16le')
            except UnicodeDecodeError:
                # yet another cool bug.
                t.Domain = raw_data.decode('utf-8')

        if t.WorkstationFields.length != 0:
            buff.seek(t.WorkstationFields.offset, io.SEEK_SET)
            raw_data = buff.read(t.WorkstationFields.length)
            try:
                t.Workstation = raw_data.decode('utf-16le')
            except UnicodeDecodeError:
                # yet another cool bug.
                t.Workstation = raw_data.decode('utf-8')

        #buff.seek(currPos, io.SEEK_SET)

        return t
Ejemplo n.º 5
0
def test_msdn():
    credential = Credential()
    credential.username = '******'
    credential.domain = 'Domain'
    credential.password = '******'

    template = {
        'flags':
        NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.REQUEST_NON_NT_SESSION_KEY
        | NegotiateFlags.NEGOTIATE_KEY_EXCH | NegotiateFlags.NEGOTIATE_128
        | NegotiateFlags.NEGOTIATE_VERSION | NegotiateFlags.TARGET_TYPE_SERVER
        | NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
        | NegotiateFlags.NEGOTIATE_SIGN | NegotiateFlags.NEGOTIATE_SEAL
        | NegotiateFlags.NTLM_NEGOTIATE_OEM | NegotiateFlags.NEGOTIATE_UNICODE,
        'version':
        Version.construct(WindowsMajorVersion.WINDOWS_MAJOR_VERSION_10,
                          minor=WindowsMinorVersion.WINDOWS_MINOR_VERSION_0,
                          build=15063),
        'domain_name':
        'Domain',
        'workstation_name':
        'COMPUTER',
        'ntlm_downgrade':
        True,
        'extended_security':
        False
    }
    settings = NTLMHandlerSettings(credential,
                                   mode='CLIENT',
                                   template_name=None,
                                   ntlm_downgrade=True,
                                   extended_security=False,
                                   custom_template=template)
    handler = NTLMAUTHHandler(settings)
    #assert handler.flags == int.from_bytes(b'\x33\x82\x02\xe2', "little", signed = False)
    data, is_res = handler.authenticate(None)
    print(data)
    print(is_res)

    details = AVPairs({
        AVPAIRType.MsvAvNbDomainName: 'TEST',
        AVPAIRType.MsvAvNbComputerName: 'WIN2019AD',
        AVPAIRType.MsvAvDnsDomainName: 'test.corp',
        AVPAIRType.MsvAvDnsComputerName: 'WIN2019AD.test.corp',
        AVPAIRType.MsvAvTimestamp: b'\xae\xc6\x00\xbf\xc5\xfd\xd4\x01',
        AVPAIRType.MsvAvFlags: b'\x02\x00\x00\x00',
        AVPAIRType.MsvAvSingleHost:
        b"0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 \x00\x00R}'\xf24\xdet7`\x96c\x84\xd3oa\xae*\xa4\xfc*8\x06\x99\xf8\xca\xa6\x00\x01\x1bHm\x89",
        AVPAIRType.MsvChannelBindings:
        b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00',
        AVPAIRType.MsvAvTargetName: 'cifs/10.10.10.2'
    })

    challenge = NTLMChallenge.construct(
        challenge=b'\x01\x23\x45\x67\x89\xab\xcd\xef',
        targetName='Domain',
        targetInfo=details,
        version=handler.ntlmNegotiate.Version,
        flags=handler.flags)
    data, is_res = handler.authenticate(challenge.to_bytes())
    print(data)
    print(is_res)

    print(handler.ntlmAuthenticate.LMChallenge.to_bytes().hex())
    print(handler.ntlmAuthenticate.NTChallenge.to_bytes().hex())
Ejemplo n.º 6
0
from aiosmb.ntlm.structures.fields import Fields
from aiosmb.ntlm.structures.negotiate_flags import NegotiateFlags
from aiosmb.ntlm.structures.version import Version
from aiosmb.ntlm.structures.avpair import AVPairs, AVPAIRType

NTLMServerTemplates = {
    "Windows2003": {
        'flags':
        NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_128
        | NegotiateFlags.NEGOTIATE_VERSION
        | NegotiateFlags.NEGOTIATE_TARGET_INFO
        | NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
        | NegotiateFlags.TARGET_TYPE_DOMAIN | NegotiateFlags.NEGOTIATE_NTLM
        | NegotiateFlags.REQUEST_TARGET | NegotiateFlags.NEGOTIATE_UNICODE,
        'version':
        Version.from_bytes(b"\x05\x02\xce\x0e\x00\x00\x00\x0f"),
        'targetinfo':
        AVPairs({
            AVPAIRType.MsvAvNbDomainName: 'SMB',
            AVPAIRType.MsvAvNbComputerName: 'SMB-TOOLKIT',
            AVPAIRType.MsvAvDnsDomainName: 'smb.local',
            AVPAIRType.MsvAvDnsComputerName: 'server2003.smb.local',
            AVPAIRType.MsvAvDnsTreeName: 'smb.local',
        }),
        'targetname':
        'SMB',
    },
}
Ejemplo n.º 7
0
from aiosmb.ntlm.structures.negotiate_flags import NegotiateFlags
from aiosmb.ntlm.structures.version import Version, WindowsMajorVersion, WindowsMinorVersion

NTLMClientTemplates = {
    "Windows10_15063": {
        'flags':
        NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_KEY_EXCH
        | NegotiateFlags.NEGOTIATE_128 | NegotiateFlags.NEGOTIATE_VERSION
        | NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
        | NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
        | NegotiateFlags.NEGOTIATE_LM_KEY | NegotiateFlags.NEGOTIATE_SIGN
        | NegotiateFlags.REQUEST_TARGET | NegotiateFlags.NTLM_NEGOTIATE_OEM
        | NegotiateFlags.NEGOTIATE_UNICODE,
        'version':
        Version.construct(WindowsMajorVersion.WINDOWS_MAJOR_VERSION_10,
                          minor=WindowsMinorVersion.WINDOWS_MINOR_VERSION_0,
                          build=15063),
        'domain_name':
        None,
        'workstation_name':
        None,
        'ntlm_downgrade':
        False,
    },
    "Windows10_15063_knowkey": {
        'flags':
        NegotiateFlags.NEGOTIATE_56 | NegotiateFlags.NEGOTIATE_KEY_EXCH
        | NegotiateFlags.NEGOTIATE_128 | NegotiateFlags.NEGOTIATE_VERSION
        | NegotiateFlags.NEGOTIATE_EXTENDED_SESSIONSECURITY
        | NegotiateFlags.NEGOTIATE_ALWAYS_SIGN | NegotiateFlags.NEGOTIATE_NTLM
        | NegotiateFlags.NEGOTIATE_LM_KEY | NegotiateFlags.NEGOTIATE_SIGN