def fromString(self, data): Structure.fromString(self, data) # [MS-NLMP] page 27 # Payload data can be present in any order within the Payload field, # with variable-length padding before or after the data domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[domain_offset:domain_end] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[host_offset:host_end] user_offset = self['user_offset'] user_end = self['user_len'] + user_offset self['user_name'] = data[user_offset:user_end] ntlm_offset = self['ntlm_offset'] ntlm_end = self['ntlm_len'] + ntlm_offset self['ntlm'] = data[ntlm_offset:ntlm_end] lanman_offset = self['lanman_offset'] lanman_end = self['lanman_len'] + lanman_offset self['lanman'] = data[lanman_offset:lanman_end]
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data: self.__array = ndrutils.NDRArray(data=self['Buffer'], itemClass=SESSION_INFO_502) self['Buffer'] = self.__array return
def __init__(self, username = '', password = '', challenge = '', lmhash = '', nthash = '', flags = 0): Structure.__init__(self) self['session_key']='' self['user_name']=username.encode('utf-16le') self['domain_name']='' #"CLON".encode('utf-16le') self['host_name']='' #"BETS".encode('utf-16le') self['flags'] = ( #authResp['flags'] # we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE| # NTLMSSP_LM_KEY | NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_SIGN | NTLMSSP_SEAL | # NTLMSSP_TARGET | 0) # Here we do the stuff if username and ( lmhash != '' or nthash != ''): self['lanman'] = get_ntlmv1_response(lmhash, challenge) self['ntlm'] = get_ntlmv1_response(nthash, challenge) elif (username and password): lmhash = compute_lmhash(password) nthash = compute_nthash(password) self['lanman']=get_ntlmv1_response(lmhash, challenge) self['ntlm']=get_ntlmv1_response(nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY else: self['lanman'] = '' self['ntlm'] = '' if not self['host_name']: self['host_name'] = 'NULL'.encode('utf-16le') # for NULL session there must be a hostname
def fromString(self,data): Structure.fromString(self,data) # [MS-NLMP] page 27 # Payload data can be present in any order within the Payload field, # with variable-length padding before or after the data domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[ domain_offset : domain_end ] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[ host_offset: host_end ] user_offset = self['user_offset'] user_end = self['user_len'] + user_offset self['user_name'] = data[ user_offset: user_end ] ntlm_offset = self['ntlm_offset'] ntlm_end = self['ntlm_len'] + ntlm_offset self['ntlm'] = data[ ntlm_offset : ntlm_end ] lanman_offset = self['lanman_offset'] lanman_end = self['lanman_len'] + lanman_offset self['lanman'] = data[ lanman_offset : lanman_end]
def __init__(self, data=None, alignment = 0): Structure.__init__(self, data, alignment) if data: self.__array = ndrutils.NDRArray(data = self['Buffer'], itemClass = SHARE_INFO_1) self['Buffer'] = self.__array return
def __init__(self, data=None, alignment=0): self.__ctx_items = [] Structure.__init__(self, data, alignment) if data is None: self['Pad'] = '' self['ctx_items'] = '' self['sec_trailer'] = '' self['auth_data'] = ''
def fromString(self, data): Structure.fromString(self, data) # Parse the ctx_items data = self['ctx_items'] for i in range(self['ctx_num']): item = CtxItemResult(data) self.__ctx_items.append(item) data = data[len(item):]
def __init__(self, data = None, alignment = 0): Structure.__init__(self, data, alignment) if data is None: self['cname'] = '' self['username'] = '' self['cltype_name'] = '' self['transport'] = '' return
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is None: self['cname'] = '' self['username'] = '' self['cltype_name'] = '' self['transport'] = '' return
def fromString(self, data): Structure.fromString(self,data) # Parse the ctx_items data = self['ctx_items'] for i in range(self['ctx_num']): item = CtxItemResult(data) self.__ctx_items.append(item) data = data[len(item):]
def __init__(self, data = None, alignment = 0): self.__ctx_items = [] Structure.__init__(self,data,alignment) if data is None: self['Pad'] = '' self['ctx_items'] = '' self['sec_trailer'] = '' self['auth_data'] = ''
def __init__(self, data = None, alignment = 0): Structure.__init__(self, data, alignment) if data is None: self['max_tfrag'] = 4280 self['max_rfrag'] = 4280 self['assoc_group'] = 0 self['ctx_num'] = 1 self['ctx_items'] = '' self.__ctx_items = []
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is None: self['max_tfrag'] = 4280 self['max_rfrag'] = 4280 self['assoc_group'] = 0 self['ctx_num'] = 1 self['ctx_items'] = '' self.__ctx_items = []
def fromString(self,data): Structure.fromString(self,data) # Just in case there's more data after the TargetInfoFields self['TargetInfoFields'] = self['TargetInfoFields'][:self['TargetInfoFields_len']] # We gotta process the TargetInfoFields #if self['TargetInfoFields_len'] > 0: # av_pairs = AV_PAIRS(self['TargetInfoFields'][:self['TargetInfoFields_len']]) # self['TargetInfoFields'] = av_pairs return self
def fromString(self, data): Structure.fromString(self, data) # Just in case there's more data after the TargetInfoFields self['TargetInfoFields'] = self[ 'TargetInfoFields'][:self['TargetInfoFields_len']] # We gotta process the TargetInfoFields #if self['TargetInfoFields_len'] > 0: # av_pairs = AV_PAIRS(self['TargetInfoFields'][:self['TargetInfoFields_len']]) # self['TargetInfoFields'] = av_pairs return self
def __init__(self): Structure.__init__(self) self['flags'] = ( NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE | # NTLMSSP_LM_KEY | NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_SIGN | NTLMSSP_SEAL | # NTLMSSP_TARGET | 0) self['host_name'] = '' self['domain_name'] = '' self['os_version'] = ''
def __init__(self, data = None, alignment = 0): Structure.__init__(self,data, alignment) if data is None: self['ver_major'] = 5 self['ver_minor'] = 0 self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG self['type'] = MSRPC_REQUEST self.__frag_len_set = 0 self['auth_len'] = 0 self['pduData'] = '' self['auth_data'] = '' self['sec_trailer'] = '' self['pad'] = ''
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is None: self['ver_major'] = 5 self['ver_minor'] = 0 self['flags'] = MSRPC_FIRSTFRAG | MSRPC_LASTFRAG self['type'] = MSRPC_REQUEST self.__frag_len_set = 0 self['auth_len'] = 0 self['pduData'] = '' self['auth_data'] = '' self['sec_trailer'] = '' self['pad'] = ''
def __init__(self, version, revision, pageSize=8192, data=None): if (version < 0x620) or (version == 0x620 and revision < 0x0b): # For sure the old format self.structure = self.structure_2003_SP0 + self.common elif version == 0x620 and revision < 0x11: # Exchange 2003 SP1 and Windows Vista and later self.structure = self.structure_0x620_0x0b + self.common else: # Windows 7 and later self.structure = self.structure_win7 + self.common if pageSize > 8192: self.structure += self.extended_win7 Structure.__init__(self,data)
def __init__(self, version, revision, pageSize=8192, data=None): if (version < 0x620) or (version == 0x620 and revision < 0x0b): # For sure the old format self.structure = self.structure_2003_SP0 + self.common elif version == 0x620 and revision < 0x11: # Exchange 2003 SP1 and Windows Vista and later self.structure = self.structure_0x620_0x0b + self.common else: # Windows 7 and later self.structure = self.structure_win7 + self.common if pageSize > 8192: self.structure += self.extended_win7 Structure.__init__(self, data)
def fromString(self, data): Structure.fromString(self, data) domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[domain_offset:domain_end] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[host_offset:host_end] hasOsInfo = self['flags'] & NTLMSSP_VERSION if len(data) >= 36 and hasOsInfo: self['os_version'] = data[32:40] else: self['os_version'] = ''
def __init__(self): Structure.__init__(self) self['flags']= ( NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE| # NTLMSSP_LM_KEY | NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_SIGN | NTLMSSP_SEAL | # NTLMSSP_TARGET | 0) self['host_name']='' self['domain_name']='' self['os_version']=''
def fromString(self,data): Structure.fromString(self,data) domain_offset = self['domain_offset'] domain_end = self['domain_len'] + domain_offset self['domain_name'] = data[ domain_offset : domain_end ] host_offset = self['host_offset'] host_end = self['host_len'] + host_offset self['host_name'] = data[ host_offset : host_end ] hasOsInfo = self['flags'] & NTLMSSP_VERSION if len(data) >= 36 and hasOsInfo: self['os_version'] = data[32:40] else: self['os_version'] = ''
def getData(self): self['domain_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"]) self['user_offset']=64+self.checkMIC(self["flags"])+self.checkVersion(self["flags"])+len(self['domain_name']) self['host_offset']=self['user_offset']+len(self['user_name']) self['lanman_offset']=self['host_offset']+len(self['host_name']) self['ntlm_offset']=self['lanman_offset']+len(self['lanman']) self['session_key_offset']=self['ntlm_offset']+len(self['ntlm']) return Structure.getData(self)
def getData(self): self['domain_offset'] = 64 + self.checkMIC( self["flags"]) + self.checkVersion(self["flags"]) self['user_offset'] = 64 + self.checkMIC( self["flags"]) + self.checkVersion(self["flags"]) + len( self['domain_name']) self['host_offset'] = self['user_offset'] + len(self['user_name']) self['lanman_offset'] = self['host_offset'] + len(self['host_name']) self['ntlm_offset'] = self['lanman_offset'] + len(self['lanman']) self['session_key_offset'] = self['ntlm_offset'] + len(self['ntlm']) return Structure.getData(self)
def __init__(self, username='', password='', challenge='', lmhash='', nthash='', flags=0): Structure.__init__(self) self['session_key'] = '' self['user_name'] = username.encode('utf-16le') self['domain_name'] = '' #"CLON".encode('utf-16le') self['host_name'] = '' #"BETS".encode('utf-16le') self['flags'] = ( #authResp['flags'] # we think (beto & gera) that his flags force a memory conten leakage when a windows 2000 answers using uninitializaed verifiers NTLMSSP_KEY_128 | NTLMSSP_KEY_EXCHANGE | # NTLMSSP_LM_KEY | NTLMSSP_NTLM_KEY | NTLMSSP_UNICODE | # NTLMSSP_ALWAYS_SIGN | NTLMSSP_SIGN | NTLMSSP_SEAL | # NTLMSSP_TARGET | 0) # Here we do the stuff if username and (lmhash != '' or nthash != ''): self['lanman'] = get_ntlmv1_response(lmhash, challenge) self['ntlm'] = get_ntlmv1_response(nthash, challenge) elif (username and password): lmhash = compute_lmhash(password) nthash = compute_nthash(password) self['lanman'] = get_ntlmv1_response(lmhash, challenge) self['ntlm'] = get_ntlmv1_response( nthash, challenge) # This is not used for LM_KEY nor NTLM_KEY else: self['lanman'] = '' self['ntlm'] = '' if not self['host_name']: self['host_name'] = 'NULL'.encode( 'utf-16le') # for NULL session there must be a hostname
def __init__(self, data): # Depending on the type of data we'll end up building a different struct dataType = unpack('<H', data[4:][:2])[0] self.structure = self.fixed if dataType == CATALOG_TYPE_TABLE: self.structure += self.other + self.table_stuff elif dataType == CATALOG_TYPE_COLUMN: self.structure += self.column_stuff elif dataType == CATALOG_TYPE_INDEX: self.structure += self.other + self.index_stuff elif dataType == CATALOG_TYPE_LONG_VALUE: self.structure += self.other + self.lv_stuff elif dataType == CATALOG_TYPE_CALLBACK: LOG.error('CallBack types not supported!') raise else: LOG.error('Unknown catalog type 0x%x' % dataType) self.structure = () Structure.__init__(self, data) self.structure += self.common Structure.__init__(self, data)
def __init__(self,data): # Depending on the type of data we'll end up building a different struct dataType = unpack('<H', data[4:][:2])[0] self.structure = self.fixed if dataType == CATALOG_TYPE_TABLE: self.structure += self.other + self.table_stuff elif dataType == CATALOG_TYPE_COLUMN: self.structure += self.column_stuff elif dataType == CATALOG_TYPE_INDEX: self.structure += self.other + self.index_stuff elif dataType == CATALOG_TYPE_LONG_VALUE: self.structure += self.other + self.lv_stuff elif dataType == CATALOG_TYPE_CALLBACK: LOG.error('CallBack types not supported!') raise else: LOG.error('Unknown catalog type 0x%x' % dataType) self.structure = () Structure.__init__(self,data) self.structure += self.common Structure.__init__(self,data)
def getData(self): if len(self.fields['host_name']) > 0: self['flags'] |= NTLMSSP_WORKSTATION if len(self.fields['domain_name']) > 0: self['flags'] |= NTLMSSP_DOMAIN if len(self.fields['os_version']) > 0: self['flags'] |= NTLMSSP_VERSION if (self['flags'] & NTLMSSP_VERSION) == NTLMSSP_VERSION: version_len = 8 else: version_len = 0 if (self['flags'] & NTLMSSP_WORKSTATION) == NTLMSSP_WORKSTATION: self['host_offset'] = 32 + version_len if (self['flags'] & NTLMSSP_DOMAIN) == NTLMSSP_DOMAIN: self['domain_offset'] = 32 + len(self['host_name']) + version_len return Structure.getData(self)
def getData(self): if len(self.fields['host_name']) > 0: self['flags'] |= NTLMSSP_WORKSTATION if len(self.fields['domain_name']) > 0: self['flags'] |= NTLMSSP_DOMAIN if len(self.fields['os_version']) > 0: self['flags'] |= NTLMSSP_VERSION if (self['flags'] & NTLMSSP_VERSION) == NTLMSSP_VERSION: version_len = 8 else: version_len = 0 if (self['flags'] & NTLMSSP_WORKSTATION) == NTLMSSP_WORKSTATION: self['host_offset']=32 + version_len if (self['flags'] & NTLMSSP_DOMAIN) == NTLMSSP_DOMAIN: self['domain_offset']=32+len(self['host_name']) + version_len return Structure.getData(self)
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is None: self['netname'] = '' self['remark'] = '' return
def __init__(self, flags=0, **kargs): if flags & NTLMSSP_NTLM2_KEY: self.structure = self.extendedMessageSignature else: self.structure = self.MessageSignature return Structure.__init__(self, **kargs)
def __init__(self, data = None): Structure.__init__(self,data) if data is None: self['TreeID'] = 0
def __init__(self, flags = 0, **kargs): if flags & NTLMSSP_NTLM2_KEY: self.structure = self.extendedMessageSignature else: self.structure = self.MessageSignature return Structure.__init__(self, **kargs)
def getData(self): #self['AlignPad'] = '\x00' * ((8 - ((24 + SMB2_PACKET_SIZE) & 7)) & 7) #self['SecurityBufferOffset'] = 24 + SMB2_PACKET_SIZE +len(self['AlignPad']) #self['SecurityBufferLength'] += len(self['AlignPad']) return Structure.getData(self)
def __init__(self, data = None, alignment = 0): Structure.__init__(self, data, alignment) if data is None: self['netname'] = '' self['remark'] = '' return
def __init__(self, flags, data=None): if flags & TAG_COMMON > 0: # Include the common header self.structure = self.common + self.structure Structure.__init__(self,data)
def getData(self): self['ctx_num'] = len(self.__ctx_items) for i in self.__ctx_items: self['ctx_items'] += i.getData() return Structure.getData(self)
def __init__(self, flags, data=None): if flags & TAG_COMMON > 0: # Include the common header self.structure = self.common + self.structure Structure.__init__(self, data)
def __init__(self, data = None): Structure.__init__(self,data) if data is None: self['AlignPad'] = ''
def getData(self): if self['TargetInfoFields'] is not None and type(self['TargetInfoFields']) is not str: raw_av_fields = self['TargetInfoFields'].getData() self['TargetInfoFields'] = raw_av_fields return Structure.getData(self)
def __init__(self, data = None, alignment = 0): Structure.__init__(self,data,alignment) if data is None: self['SupportedVersions'] = ''
def getData(self): if self['TargetInfoFields'] is not None and type( self['TargetInfoFields']) is not str: raw_av_fields = self['TargetInfoFields'].getData() self['TargetInfoFields'] = raw_av_fields return Structure.getData(self)
def getData(self): self['pResumeHandler'] = '\xbc\x9a\x00\x00\x00\x00\x00\x00' return Structure.getData(self)
def __init__(self, data=None, alignment=0): Structure.__init__(self, data, alignment) if data is None: self['SupportedVersions'] = ''