def recv(self): self.response_data = self._transport.recv() self.response_header = MSRPCRespHeader(self.response_data) off = self.response_header.get_header_size() if self.response_header.get_type( ) == MSRPC_FAULT and self.response_header.get_frag_len() >= off + 4: status_code = unpack("<L", self.response_data[off:off + 4])[0] if rpc_status_codes.has_key(status_code): raise Exception(rpc_status_codes[status_code]) else: raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code) answer = self.response_data[off:] auth_len = self.response_header.get_auth_len() if auth_len: auth_len += 8 auth_data = answer[-auth_len:] ntlmssp = ntlm.NTLMAuthHeader(data=auth_data) answer = answer[:-auth_len] if ntlmssp['auth_level'] == ntlm.NTLM_AUTH_PKT_PRIVACY: answer = self.cipher_encrypt(answer) if ntlmssp['auth_pad_len']: answer = answer[:-ntlmssp['auth_pad_len']] if ntlmssp['auth_level'] in [ ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY ]: ntlmssp = ntlm.NTLMAuthVerifier(data=auth_data) data = self.cipher_encrypt(ntlmssp['data']) zero, crc, sequence = unpack('<LLL', data) self.sequence = sequence + 1 return answer
def _transport_send(self, rpc_packet, forceWriteAndx = 0, forceRecv = 0): if self.__auth_level == ntlm.NTLM_AUTH_CALL: if rpc_packet.get_type() == MSRPC_REQUEST: response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge) response['auth_ctx_id'] = self._ctx + 79231 response['auth_level'] = self.__auth_level rpc_packet.set_auth_data(str(response)) if self.__auth_level in [ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]: verifier = ntlm.NTLMAuthVerifier() verifier['auth_level'] = self.__auth_level verifier['auth_ctx_id'] = self._ctx + 79231 verifier['data'] = ' '*12 rpc_packet.set_auth_data(str(verifier)) rpc_call = rpc_packet.child() if self.__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY: data = DCERPC_RawCall(rpc_call.OP_NUM) data.setData(self.cipher_encrypt(rpc_call.get_packet())) rpc_packet.contains(data) crc = crc32(rpc_call.get_packet()) data = pack('<LLL',0,crc,self.sequence) # XXX 0 can be anything: randomize data = self.cipher_encrypt(data) verifier['data'] = data rpc_packet.set_auth_data(str(verifier)) self.sequence += 1 self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)