def decode(self, aBuffer):
        i = ImpactPacket.IP(aBuffer)
        self.set_decoded_protocol ( i )
        off = i.get_header_size()
        end = i.get_ip_len()
        # If ip_len == 0 we might be facing TCP segmentation offload, let's calculate the right len
        if end == 0:
            LOG.warning('IP len reported as 0, most probably because of TCP segmentation offload. Attempting to fix its size')
            i.set_ip_len(len(aBuffer))
            end = i.get_ip_len()

        if i.get_ip_p() == ImpactPacket.UDP.protocol:
            self.udp_decoder = UDPDecoder()
            packet = self.udp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.TCP.protocol:
            self.tcp_decoder = TCPDecoder()
            packet = self.tcp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.ICMP.protocol:
            self.icmp_decoder = ICMPDecoder()
            packet = self.icmp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
            self.igmp_decoder = IGMPDecoder()
            packet = self.igmp_decoder.decode(aBuffer[off:end])
        else:
            self.data_decoder = DataDecoder()
            packet = self.data_decoder.decode(aBuffer[off:end])
        i.contains(packet)
        return i
Ejemplo n.º 2
0
    def decode(self, aBuffer):
        i = ImpactPacket.IP(aBuffer)
        self.set_decoded_protocol ( i )
        off = i.get_header_size()
        end = i.get_ip_len()
        # If ip_len == 0 we might be facing TCP segmentation offload, let's calculate the right len
        if end == 0:
            LOG.warning('IP len reported as 0, most probably because of TCP segmentation offload. Attempting to fix its size')
            i.set_ip_len(len(aBuffer))
            end = i.get_ip_len()

        if i.get_ip_p() == ImpactPacket.UDP.protocol:
            self.udp_decoder = UDPDecoder()
            packet = self.udp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.TCP.protocol:
            self.tcp_decoder = TCPDecoder()
            packet = self.tcp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.ICMP.protocol:
            self.icmp_decoder = ICMPDecoder()
            packet = self.icmp_decoder.decode(aBuffer[off:end])
        elif i.get_ip_p() == ImpactPacket.IGMP.protocol:
            self.igmp_decoder = IGMPDecoder()
            packet = self.igmp_decoder.decode(aBuffer[off:end])
        else:
            self.data_decoder = DataDecoder()
            packet = self.data_decoder.decode(aBuffer[off:end])
        i.contains(packet)
        return i
Ejemplo n.º 3
0
    def sendNegotiate(self, negotiateMessage):
        negoMessage = NTLMAuthNegotiate()
        negoMessage.fromString(negotiateMessage)

        # When exploiting CVE-2019-1040, remove message signing flag
        # For SMB->LDAP this is required otherwise it triggers LDAP signing
        # Changing flags breaks the signature unless the client uses a non-standard implementation of NTLM
        if self.serverConfig.remove_mic:
            if negoMessage[
                    'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
                negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
            if negoMessage[
                    'flags'] & NTLMSSP_NEGOTIATE_ALWAYS_SIGN == NTLMSSP_NEGOTIATE_ALWAYS_SIGN:
                negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_ALWAYS_SIGN

        self.negotiateMessage = negoMessage.getData()

        # Warn if the relayed target requests signing, which will break our attack
        if negoMessage[
                'flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
            LOG.warning(
                'The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)'
            )

        with self.session.connection_lock:
            if not self.session.sasl_in_progress:
                self.session.sasl_in_progress = True
                request = bind.bind_operation(self.session.version,
                                              'SICILY_PACKAGE_DISCOVERY')
                response = self.session.post_send_single_response(
                    self.session.send('bindRequest', request, None))
                result = response[0]
                try:
                    sicily_packages = result['server_creds'].decode(
                        'ascii').split(';')
                except KeyError:
                    raise LDAPRelayClientException(
                        'Could not discover authentication methods, server replied: %s'
                        % result)

                if 'NTLM' in sicily_packages:  # NTLM available on server
                    request = bind.bind_operation(self.session.version,
                                                  'SICILY_NEGOTIATE_NTLM',
                                                  self)
                    response = self.session.post_send_single_response(
                        self.session.send('bindRequest', request, None))
                    result = response[0]
                    if result['result'] == RESULT_SUCCESS:
                        challenge = NTLMAuthChallenge()
                        challenge.fromString(result['server_creds'])
                        return challenge
                else:
                    raise LDAPRelayClientException(
                        'Server did not offer NTLM authentication!')
Ejemplo n.º 4
0
 def loadKeysFromKeytab(cls, fileName, username, domain, options):
     keytab = Keytab.loadFile(fileName)
     keyblock = keytab.getKey("%s@%s" % (username, domain))
     if keyblock:
         if keyblock["keytype"] == Enctype.AES256.value or keyblock[
                 "keytype"] == Enctype.AES128.value:
             options.aesKey = keyblock.hexlifiedValue()
         elif keyblock["keytype"] == Enctype.RC4.value:
             options.hashes = ':' + keyblock.hexlifiedValue().decode(
                 'ascii')
     else:
         LOG.warning("No matching key for SPN '%s' in given keytab found!",
                     username)
Ejemplo n.º 5
0
 def __init__(self, hive, isRemote = False):
     self.__hive = hive
     if isRemote is True:
         self.fd = self.__hive
         self.__hive.open()
     else:
         self.fd = open(hive,'rb')
     data = self.fd.read(4096)
     self.__regf = REG_REGF(data)
     self.indent = ''
     self.rootKey = self.__findRootKey()
     if self.rootKey is None:
         LOG.error("Can't find root key!")
     elif self.__regf['MajorVersion'] != 1 and self.__regf['MinorVersion'] > 5:
         LOG.warning("Unsupported version (%d.%d) - things might not work!" % (self.__regf['MajorVersion'], self.__regf['MinorVersion']))
Ejemplo n.º 6
0
 def __init__(self, hive, isRemote = False):
     self.__hive = hive
     if isRemote is True:
         self.fd = self.__hive
         self.__hive.open()
     else:
         self.fd = open(hive,'rb')
     data = self.fd.read(4096)
     self.__regf = REG_REGF(data)
     self.indent = ''
     self.rootKey = self.__findRootKey()
     if self.rootKey is None:
         LOG.error("Can't find root key!")
     elif self.__regf['MajorVersion'] != 1 and self.__regf['MinorVersion'] > 5:
         LOG.warning("Unsupported version (%d.%d) - things might not work!" % (self.__regf['MajorVersion'], self.__regf['MinorVersion']))
Ejemplo n.º 7
0
    def sendNegotiate(self, negotiateMessage):
        # Remove the message signing flag
        # For LDAP this is required otherwise it triggers LDAP signing

        # Note that this code is commented out because changing flags breaks the signature
        # unless the client uses a non-standard implementation of NTLM
        negoMessage = NTLMAuthNegotiate()
        negoMessage.fromString(negotiateMessage)
        #negoMessage['flags'] ^= NTLMSSP_NEGOTIATE_SIGN
        self.negotiateMessage = negoMessage.getData()

        # Warn if the relayed target requests signing, which will break our attack
        if negoMessage['flags'] & NTLMSSP_NEGOTIATE_SIGN == NTLMSSP_NEGOTIATE_SIGN:
            LOG.warning('The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)')

        with self.session.connection_lock:
            if not self.session.sasl_in_progress:
                self.session.sasl_in_progress = True
                request = bind.bind_operation(self.session.version, 'SICILY_PACKAGE_DISCOVERY')
                response = self.session.post_send_single_response(self.session.send('bindRequest', request, None))
                result = response[0]
                try:
                    sicily_packages = result['server_creds'].decode('ascii').split(';')
                except KeyError:
                    raise LDAPRelayClientException('Could not discover authentication methods, server replied: %s' % result)

                if 'NTLM' in sicily_packages:  # NTLM available on server
                    request = bind.bind_operation(self.session.version, 'SICILY_NEGOTIATE_NTLM', self)
                    response = self.session.post_send_single_response(self.session.send('bindRequest', request, None))
                    result = response[0]

                    if result['result'] == RESULT_SUCCESS:
                        challenge = NTLMAuthChallenge()
                        challenge.fromString(result['server_creds'])
                        return challenge
                else:
                    raise LDAPRelayClientException('Server did not offer NTLM authentication!')
Ejemplo n.º 8
0
 def set_source_address(self, source_address):
     LOG.warning('deprecated soon')
     self.set_ip_src(source_address)
Ejemplo n.º 9
0
 def set_destination_address(self, destination_address):
     LOG.warning('deprecated soon')
     self.set_ip_dst(destination_address)
Ejemplo n.º 10
0
 def set_source_address(self, source_address):
     LOG.warning('deprecated soon')
     self.set_ip_src(source_address)
Ejemplo n.º 11
0
 def set_protocol_version(self, version):
     LOG.warning('deprecated soon')
     self.set_ip_v(version)
Ejemplo n.º 12
0
 def get_destination_address(self):
     LOG.warning('deprecated soon')
     return self.get_ip_dst()
Ejemplo n.º 13
0
 def get_source_address(self):
     LOG.warning('deprecated soon')
     return self.get_ip_src()
Ejemplo n.º 14
0
 def get_protocol_version(self):
     LOG.warning('deprecated soon')
     return self.get_ip_v()    
Ejemplo n.º 15
0
 def set_destination_address(self, destination_address):
     LOG.warning('deprecated soon')
     self.set_ip_dst(destination_address)
Ejemplo n.º 16
0
 def set_protocol_version(self, version):
     LOG.warning('deprecated soon')
     self.set_ip_v(version)
Ejemplo n.º 17
0
 def get_destination_address(self):
     LOG.warning('deprecated soon')
     return self.get_ip_dst()
Ejemplo n.º 18
0
 def get_source_address(self):
     LOG.warning('deprecated soon')
     return self.get_ip_src()
Ejemplo n.º 19
0
 def get_protocol_version(self):
     LOG.warning('deprecated soon')
     return self.get_ip_v()